Growing Risks in the Software Supply Chain

Mark Sherman
Carnegie Mellon University

Today’s software is largely assembled rather than written, and most of the assembly comes from open source components. The creation of components and their inclusion into applications creates a “supply chain” just like in conventional manufacturing. While physical supply chains have well established chains-of-custody to establish properties like refrigeration maintenance, authenticity or spoilage avoidance, the software supply chain is very much a wild, wild west, filled with vulnerabilities that can be (and are) inadvertently inserted into applications.

As supply chain risk and mitigations are being explored by government and academia, a larger attack surface is being uncovered that needs to be addressed. This presentation describes the parts of the software supply chain, how vulnerabilities have been introduced, the growing attack surface from new methods of building and distributing software, and the actions that developers can employ to avoid or mitigate the risks inherent in an assembly-based software development strategy.