Supply Chain Security
Software supply chain, dependency management, SBOM, and vendor risk.
Overview
Supply chain security protects against compromised components.
Attack Vectors
| Vector | Example |
|---|---|
| Dependency confusion | Typosquatting packages |
| Compromised updates | SolarWinds attack |
| Open source risks | Malicious commits |
| Hardware implants | Chip tampering |
Software Bill of Materials (SBOM)
{
"bomFormat": "CycloneDX",
"specVersion": "1.4",
"components": [
{
"type": "library",
"name": "lodash",
"version": "4.17.21",
"licenses": [{"id": "MIT"}]
}
]
}
Dependency Scanning
# npm audit
npm audit
npm audit fix
# Snyk
snyk test
snyk monitor
# OWASP Dependency Check
dependency-check --project "My App" --scan ./src
Secure Development Practices
# Signed commits
git config --global commit.gpgsign true
git config --global user.signingkey ABCDEF1234567890
# Verified builds
build:
verify_signatures: true
reproducible_builds: true
Vendor Risk Assessment
| Criteria | Weight |
|---|---|
| Security certifications | 25% |
| Incident history | 20% |
| Data handling practices | 20% |
| Contractual obligations | 15% |
| Financial stability | 10% |
| Business continuity | 10% |
Best Practices
- Verify signatures — Code and packages
- Pin dependencies — Specific versions
- Scan dependencies — Regular audits
- Vendor assessment — Due diligence
- Monitor for vulnerabilities — Continuous
Practice
Implement SBOM generation and dependency scanning in a CI/CD pipeline.