Increasing cloud infrastructures and DevOps environments ensure more agility in companies, but at the same time expose them to higher dangers. Even so, supply chain still focuses heavily on classic aspects such as delivery reliability and costs rather than cybersecurity risks. Looking at the whole thing as a typical supply chain, software is a core component in every product. This ranges from the style of the component through networks with embedded software to solutions for the management of warehouse stocks. Software occurs in every time of the assembly and supply chain. This increases the risk of compromise.
What Exactly Is A Software Supply Chain Attack?
Software consists of code libraries from commercial providers, open source components. Each of these represent an independent stream of code that flows into what is commonly referred to as an app. Each stream in this system can contain its own code streams. Put together, they form the supply chain for a better service. Any compromise within this chain is a supply chain attack. Not a single development is immune to such attacks, because the target may as well be a code repository as a human developer.
Where Do Such Attacks Occur?
The easiest form of such an activity to understand occurs in open source development. Open source communities are not companies. Therefore, only those who are involved with the community developing a component know where the authorship lies. Anyone else could just as easily identify the source with research as a prominent member of the community.
A hacker could easily create a compromised type of the code that somebody will find and probably use at some point. If this compromised code is also part of a release, the chance of potential victims increases.
