All Articles

The Complexity of Software Supply Chains

Software supply chains are vast and intricate, much like the global manufacturing processes behind the latest technology products. Take an iPhone, for example. Millions of people contribute to its development, from factory workers assembling hardware to software engineers writing the code that powers it. Yet, despite this massive network of contributors, we trust these devices in our daily lives. But what if just one person in that chain were compromised?

A single vulnerability in the supply chain can have a domino effect. Cybercriminals are constantly looking for ways to infiltrate systems, and the software supply chain is a prime target. Attackers exploit weaknesses in third-party libraries, dependencies, and even build environments to insert malicious code that can go undetected for months or even years. The consequences? Data breaches, operational disruptions, and financial losses.

Understanding the Risk

Every organization relies on external software, whether it’s from large enterprises or small startups. The risk? Many companies do not invest enough in securing their software supply chains. Security professionals must assess not only their internal development environments but also the security of the third-party software they integrate.

Cyberattacks targeting supply chains are becoming more frequent and sophisticated. The infamous SolarWinds attack demonstrated how a single vulnerability in a trusted update could compromise thousands of organizations, including government agencies. Supply chain security is no longer optional—it is a necessity for modern cybersecurity strategies.

Development Environments: A Prime Target

• Developers can write and deploy code without security checks.
• Open-source dependencies are frequently used without verification.
• Virtual machines and ephemeral environments are spun up and down constantly, creating blind spots.
• Threat actors can insert malicious code into development environments, as seen in the SolarWinds attack.

The speed at which developers operate today is both an advantage and a challenge. With continuous integration and deployment (CI/CD) pipelines automating much of the software release process, security checks are often overlooked. Attackers understand this and exploit it by inserting malicious code into widely used repositories, leading to widespread security incidents.

The Challenge of Open-Source Code

• Developers often download and integrate code without reviewing it.
• Malicious packages in repositories like npm are widespread.
• Attackers wait months or even years before introducing malicious updates.
• Without proper scanning, organizations unknowingly introduce security risks.

Open-source software is a double-edged sword. While it accelerates development, it also introduces vulnerabilities. Developers often rely on third-party code without fully understanding its origins. Attackers take advantage of this trust by creating malicious versions of legitimate packages. Dependency confusion attacks, where attackers trick systems into downloading malicious versions of internal libraries, are becoming more common.

The Need for Developer Accountability

Supply chain security is a shared responsibility. Security leaders, developers, and vendors must work together to establish best practices.

>> Connect with CISO Platform (invite only Platform For CISOs)—a cybersecurity community where experts share insights on securing the software supply chain.

• Developers must be trained in secure coding practices.
• Security teams cannot oversee every decision; developers must take responsibility.
• Awareness programs should include detecting malicious code in open-source projects.
• Secure coding should be an integral part of the development process.

Training developers to recognize and mitigate security risks is critical. Security should not be an afterthought—it should be embedded into the development lifecycle. Developers must be equipped with the right tools and knowledge to identify vulnerabilities before they make it into production.

Secure Development and Data Classification

• Developers should classify their source code based on sensitivity.
• Organizations must track proprietary and open-source code separately.
• Accidental code leaks on public repositories are a significant risk.
• Proper classification ensures better security controls.

Data classification is often overlooked in software development. Developers may unknowingly expose sensitive code to public repositories, increasing the risk of data breaches. Organizations should implement strict policies to ensure that proprietary code remains protected while still allowing for efficient collaboration.

The Importance of Secure Build Pipelines

• The SolarWinds attack highlighted vulnerabilities in CI/CD pipelines.
• Threat actors can manipulate build processes to distribute compromised software.
• Organizations must implement strict access controls in build environments.
• Code signing and integrity checks should be mandatory before deployment.

The security of build pipelines is crucial in preventing supply chain attacks. Attackers target build systems to inject malicious code into legitimate software updates. Organizations must enforce strict access controls, monitor build processes, and ensure that only authorized code makes it into production.

Supply Chain Security Questions for Vendors

• Do they secure their development environments?
• Do they have a secure code repository?
• How do they manage vulnerabilities?
• Do they perform security testing before releasing updates?
• What measures do they take to prevent unauthorized access to their infrastructure?

Before integrating third-party software, organizations must conduct thorough security assessments of their vendors. Many breaches occur due to vulnerabilities in third-party applications, making vendor security assessments a key component of supply chain security.

Emerging Threats in Secure Development

• AI-driven tools offer promise but can also introduce new risks.
• Malicious open-source tools can be used to compromise environments.
• Organizations must vet new tools before integrating them.
• Adversaries use AI-generated malware to bypass traditional security defenses.

AI and automation are transforming software development, but they also present new security challenges. Attackers leverage AI to create sophisticated malware that can evade detection. Organizations must stay ahead by implementing advanced security solutions that can counter AI-generated threats.

Vulnerability Management and Asset Tracking

• Many security scans generate excessive false positives.
• Organizations must prioritize vulnerabilities based on exploitability.
• Less than 3% of OT systems receive regular patches.
• Asset management databases must track internet-facing systems.

Vulnerability management is essential in securing the software supply chain. Organizations must prioritize vulnerabilities based on real-world risk rather than simply reacting to every security alert. Proper asset tracking ensures that critical systems remain protected.

Physical Supply Chain Risks

• Hardware components can be tampered with during transit.
• Firmware integrity checks must be integrated into manufacturing processes.
• Organizations should validate hardware security before deployment.
• Secure shipping and handling procedures must be enforced.
• The physical supply chain is just as vulnerable as the digital one. Attackers can tamper with hardware components during shipping, introducing backdoors that remain undetected until deployment. Secure handling procedures and firmware integrity checks are critical in mitigating these risks.
• Attackers will continue to target development environments and distribution channels.
• Secure development lifecycles should be a priority for organizations.
• Vendors will face increasing scrutiny over their security practices.
• Organizations must continuously monitor and adapt to evolving threats.
• Cyber resilience must be a core part of every security strategy.

As cyber threats continue to evolve, so must security strategies. Organizations must take a proactive approach to securing their software supply chains. Continuous monitoring, real-time threat intelligence, and collaboration with industry partners are essential in staying ahead of adversaries.

Join 10,000+ CISOs on www.cisoplatform.com and connect with industry experts, share insights, and strengthen your security posture.

About Cassie Crossley:

Cassie Crossley is the Vice President of Supply Chain Security at Schneider Electric, specializing in end-to-end software, firmware, and hardware security. An author, cybersecurity leader, and advocate for supply chain security, she actively contributes to CISA SBOM working groups and has been recognized as an SC Media Women in IT Security Power Player. At the CISO Platform Top 100 Awards 2025, she delivered a keynote on "Software Supply Chain Security," addressing third-party risks, secure development, and emerging cyber threats. Her expertise continues to shape global cybersecurity policies and best practices.

Follow Cassie Crossley on:

• Twitter (X) : @Cassie_Crossley

•  LinkedIn:   linkedin.com/in/cassiecrossley