With attackers targeting vulnerable software components such as the Apache Log4j library, vulnerabilities in widely used software applications such as Microsoft Exchange, or security weaknesses in tools provided by service providers such as CircleCI, securing third-party components, partners, and software is becoming an important part of enterprise defense. A simple, over-looked flaw in an enterprise system can inadvertently give an attacker access to sensitive data and corporate accounts of a company’s supply chain. This, in turn, paves the way for malicious activity that affects not only that organization but its entire ecosystem of partners. Software supply chain security has only elevated into a widespread critical issue during the past two years, but there is no real consensus on what software supply chain security actually is. Many security professionals are still trying to get their heads around the topic and understanding how to protect their organizations.

This report looks at software bills of materials and the vulnerability exploitation exchanges in detail. For now, much of the attention is on software bills of materials (SBOMs), because they present a critical first step in preventing software compromises by ensuring everyone knows what’s in the applications. However, for SBOMs to be truly effective, they must integrate with machine-readable VEXs. There are currently three open standards for VEX to help organizations generate, share, and automate SBOMS. 

Additionally, we look at attacks targeting the software supply chain, such as dependency confusion and typosquatting. These are different types of attacks than the ones targeting software components. We also look at how the tools from third-party providers can be hijacked to wreak havoc on organization networks. Supply chain security is a bigger story than just one piece of technology. It also requires having the right people and processes in place.