What is software supply chain security?
Software supply chain security includes measures and practices to protect the security and integrity of all components within the software development cycle, such as source code, dependencies, and libraries.
A compromised software supply chain can have profound consequences. As cyber threats grow increasingly sophisticated, even a minor vulnerability can cause devastating breaches. These can result in financial losses, legal repercussions, and a damaged business reputation. For end users, the fallout can range from privacy violations to financial fraud.
But what makes up this software supply chain? Let's examine its components and its place in the software development lifecycle and dig into the inherent challenges of improving your application security.
The State of Code Security [2025]
Supply chain attacks are on the rise, with attackers targeting repositories, dependencies, and CI/CD workflows. The State of Code Security Report 2025 found that malicious NPM and PyPI packages remain a major concern, reinforcing the need for stronger security controls.
Download report
Components of the software supply chain that need to be secured
Below are key security focuses for the software supply chain:
Source code: Developers often write source code in high-level languages like Python, Java, or C++, forming the foundation of any software. To ensure its integrity, developers use cryptographic hashing to detect any unauthorized access and alterations.
Dependencies and libraries: You can consider these the building blocks that developers use to enhance functionality without reinventing the wheel. For instance, a developer might use OpenSSL, a widely used library, to implement SSL/TLS protocols. However, like the Heartbleed Bug incident, even popular libraries require regular security checks to stay protected from threats.
Build and compilation processes: These function like an assembly line in manufacturing. Tools like Jenkins or Travis CI automate these processes by converting source code into executable binaries. Security teams must keep these tools free from vulnerabilities to prevent potential security breaches and maintain the integrity of the build process.
Distribution and deployment: Distribution and deployment serve as the means of software delivery. Docker, for example, lets developers encapsulate applications in containers for consistent environments. But if an attacker breaches the Docker image repository, it can cause extensive problems.
Updates and patches: Just as cars need periodic servicing, software requires updates. Updates and patches fix known issues or vulnerabilities. However, if an attacker pushes a malicious update, the consequences can be catastrophic.
Threats and risks to the software supply chain
Threat actors see the software supply chain as a prime target thanks to its intricate processes and multifaceted components.
Understanding the breadth and depth of potential threats is the first step in developing defenses. Here are the most pressing threats that can compromise your software supply chain:
External threats and risks
Below are outside threats that could affect your infrastructure:
| External threats and risks | Description | Real-world examples |
|---|---|---|
| Malicious code injections and compromised dependencies | Covert techniques allow attackers to embed malicious functionalities within legitimate software. Additionally, relying on third-party components can expedite development but also introduce vulnerabilities. | A prime example is the SolarWinds attack, where attackers inserted malicious code into the software's update mechanism, causing wide-scale data breaches that affected organizations worldwide. |
| Man-in-the-middle (MitM) attacks | MitM attacks involve intercepting software during distribution and altering it before it reaches the end user. | ASUS’s compromised Live Update software serves as a chilling reminder. In that attack, dubbed Operation ShadowHammer, threat actors intervened and forced ASUS to distribute malicious code instead of legitimate updates to its users. |
| Lack of encryption in data transmission | Transmitting software updates or patches without encryption allows attackers to intercept and modify the software, introducing malicious code. This compromises the software’s integrity and puts users at risk of downloading and installing tampered versions. | The Ivanti Connect Secure VPN attacks highlight how unencrypted updates enable exploitation. Attackers exposed a vulnerability to conduct remote code execution without authentication, which affected many organizations. |
Internal threats and risks
Below are internal threats, or hybrid threats, that can affect your infrastructure:
| Internal threats and risks | Description | Real-world examples |
|---|---|---|
| Insider threats or compromised developer accounts | Sometimes, a threat originates within an organization. Malicious actors, dissatisfied employees, or even unintentional mistakes can lead to significant breaches. | The Codecov incident is one example of this threat vector. Advanced attackers exploited Codecov's Docker image construction error to execute the breach. They altered a script, which enabled them to transmit the environment variables from Codecov's CI to an external server. |
| Outdated components and flawed software with known vulnerabilities | Using outdated software or deploying a flawed software design is akin to leaving your front door unlocked when you have valuables on display. | The Equifax breach, which occurred because the company overlooked a vulnerability in Apache Struts, highlights the severe repercussions of not updating promptly. |
| Insecure APIs | APIs allow different software components to communicate. These insecure APIs can serve as gateways for attackers, resulting in sensitive data leaks or unwanted access. | The 2024 WhatsApp View Once incident is a good example of insecure APIs. The privacy feature had a flaw in its disappearing photos and media. Recipients could manipulate the disappearing features within the API by turning the “viewOnce” property to false, overriding the privacy preferences. |
Real-life examples of software supply chain attacks
Below are recent examples of supply chain attacks:
Hugging Face and a malicious AI model
In 2024, Wiz Research, in partnership with Hugging Face, discovered a security risk in AI-as-a-Service platforms that targeted Hugging Face’s Inference API. Researchers learned that the attacker could upload a malicious AI model that was allowing remote code execution and cross-tenant access. This vulnerability exposed possibilities for attackers to access private AI models and essential customer data.
In addition, Wiz Research discovered insufficient isolation in the AI interference infrastructure. This vulnerability could lead to privilege escalation, allowing an attacker to move laterally within the platform’s Kubernetes environment. This, along with discovering container registry security gaps in Hugging Face’s Spaces service, proved to be a major opportunity for supply chain attacks.
Hugging Face worked with Wiz to mitigate these risks and conduct more substantial tenant isolation, container security, and vulnerability scanning for safer customer protection.
Wiz uncovers #IngressNightmare
Nothing spells danger like an unauthenticated, remote code execution vulnerability. Wiz Research uncovered this vulnerability in the Ingress NGINX Controller for Kubernetes, which is now dubbed #IngressNightmare.
The vulnerabilities (CVE-2025-1974, CVE-2025-1097, CVE-2025-1098, CVE-2025-24514) came from insecure handling within the admission controller component. The result was that 43% of cloud environments and over 6,500 internet-facing Kubernetes clusters were vulnerable to exploitation. Because of this vulnerability, attackers could gain cluster-wide access to secrets across all namescapes.
To mitigate the issue, organizations could update their Ingress NGINX Controller, disable or restrict access to the admission controller webhook endpoint, and use network policies to remove the control in case of delayed updates.
Thanks to Wiz, its users can detect exposed clusters within their hybrid cloud security infrastructure for real-time alerting on discoveries and risks like these.
Best practices for mitigating supply chain risks
If you want to defend against threats to your software supply chain, implement the following best practices:
1. Create a software bill of materials (SBOM) with security considerations
Every software project should integrate an SBOM as a regular component. Teams can generate and update it using automated tools within the software development lifecycle. A foundational step is for teams to document all components, libraries, and dependencies and periodically review the SBOM for vulnerabilities.
Another critical aspect of SBOM is leveraging automation and unified security tools. Implementing solutions like Wiz's agentless SBOM scanning can streamline this process.
2. Leverage DevOps and DevSecOps
Shift from traditional development practices to a DevOps or DevSecOps model by integrating security checks at every phase of the software development lifecycle. Embedding tools like SonarQube or Checkmarx into the CI/CD pipeline automates security assessments, enabling teams to detect and resolve vulnerabilities swiftly.
CI/CD Supply Chain Attack
Hosted by experts Eden Naftali and Amitai Cohen, the Crying Out Cloud podcast provides in-depth coverage of the most important vulnerabilities and incidents from the previous month. Tune in for insightful analysis and expert recommendations to help you safeguard your cloud infrastructure.
Listen now
3. Complete regular audits
Conduct periodic security audits to identify vulnerabilities in software components. Use tools like OWASP Dependency-Check to scan dependencies and prioritize remediation based on risk severity. Regularly audit cloud configurations and network traffic using cloud-native tools like AWS Config or Azure Security Center.
4. Implement multi-factor authentication and enforce least-privilege access
Enable MFA for all developer accounts, especially those with access to essential code repositories like GitHub or Bitbucket and in cloud platforms like AWS IAM and Azure AD
You can also enforce the principle of least privilege in these repositories to restrict access rights to only what is necessary for each role, preventing compromised accounts from affecting the entire code base.
5. Perform Software Composition Analysis (SCA)
Use SCA tools to scan open-source libraries and dependencies for vulnerabilities. Regularly update components to ensure known vulnerabilities are patched and reduce the risk posed by outdated libraries in hybrid and multi-cloud environments. SCAs are essential for maintaining security across complex cloud architectures where third-party components are often integrated.
6. Choose a continuous monitoring solution
Deploy continuous monitoring tools like Splunk or ELK Stack for real-time detection of anomalous activity. In cloud-native environments, leverage AWS CloudWatch or Azure Sentinel to monitor cloud configurations, network traffic, and containerized workloads.
7. Manage vendor risk
Conduct a thorough risk assessment before integrating any third-party component or service. You should also evaluate the vendor’s security practices, track record of vulnerabilities, and response strategy. Then, to ensure ongoing security compliance, regularly review and update vendor risk assessments to ensure ongoing security compliance.
8. Create an incident response plan
Your team should develop a comprehensive incident response plan tailored to potential software supply chain attacks. Define clear actions to take in case of a breach, including communication protocols, immediate countermeasures, and a detailed post-event review.
9. Use network segmentation
Segment your network to isolate development, testing, and production environments from one another. Proper segmentation minimizes the risk of a compromise spreading across environments. For more granular control, consider micro-segmentation and zero-trust architecture, especially in hybrid cloud configurations.
10. Schedule regular backups
Establish a backup strategy for critical software components and configurations using cloud-native backup solutions like AWS Backup or Azure Backup. Regularly test disaster recovery plans, including cross-region backups, to ensure data availability and integrity across hybrid environments.
Leveraging industry standards and frameworks
The following frameworks provide methods to identify, assess, and mitigate risks throughout your development process:
ISO/IEC 27001: This framework defines requirements for information security management systems and risk management.
NIST Cybersecurity Framework: This risk-based approach establishes guidelines for managing cybersecurity to ensure consistency across organizations and supply chains.
NIST Secure Software Development Framework: This set of security practices protects software from vulnerabilities, mitigates risks, and prevents avoidable issues.
Supply-Chain Levels for Software Artifacts (SLSA): This framework ensures software integrity through a tiered approach to security controls.
Cloud Security Alliance Cloud Controls Matrix: This set of tailored security controls strengthens cloud environments and supply chain security.
Implementing these frameworks produces stronger risk management, improved security, enhanced trust, simplified compliance, and cost reduction for avoiding expensive security incidents.
The key, however, is investing in the right cloud-native security platform. Wiz, for example, can automate cloud security, help you implement compliance measures, and eliminate threats before they happen.
Questions to ask for NIST
When evaluating third-party software, follow NIST recommendations to ensure that suppliers meet security standards. To do so, ask these key questions:
Does the supplier have ties with any foreign governments?
Can the supplier provide a sourcing list for their hardware and software components?
Do organizations implement safeguards to protect sensitive program information from supply chain compromises?
Do secure procedures exist for maintenance and upgrades post-deployment?
Does a system track and record risk mitigation throughout the product's life cycle?
Does the supplier adhere to secure software development standards, such as the Microsoft Security Development Lifecycle?
Looking ahead: Keep your software supply chain protected
Protecting your supply chain from today’s threats isn’t enough. The cloud security landscape changes so rapidly that delaying improvements and adaptation could quickly jeopardize your security. That’s why improving your cloud security posture steps ahead of today’s threats helps you thwart them as they become more sophisticated.
The following are emerging threats and concerns that you should consider:
SBOMs: While SBOMs can add transparency, attackers can also manipulate them to find weak points in your software supply chain. To avoid this, verify your SBOM integrity through cryptographic signing and hashing, limit SBOM exposure, automate analyses, and implement security controls. You can also adopt zero-risk policies like multi-factor authorization and the principle of least privilege.
AI-powered attacks: Bad actors can use AI to automate attacks and find security vulnerabilities. However, you can combat innovative cyberattacks using automation from top cloud security tools.
Quantum computing growth: In the future, quantum computing's powerful capabilities could break cryptographic protections. To solve this issue, instituting multiple layers of security through zero-trust architecture and an innovative cloud security platform will be key. This risk will be a reality very soon, with estimates that in 2034, there’s a 17-34% possibility that an incident will likely break RSA 2048 in 24 hours (and a 79% chance by 2044).
Open source risks: As open-source software threats grow, attackers continue to exploit weaknesses within these systems. That’s why it’s essential to implement shift-left policies through your DevOps team so they can prioritize security when developing and implementing open-source application software.
Geopolitical risks: As the world grows smaller through technology, supply chain threats grow bigger. With nation-state actors targeting vendors and infrastructure to disrupt the software supply chain, adopting these best practices and choosing the right platform helps prevent powerful emerging threats and sophisticated attacks.
2025 State of AI in the Cloud
Download The State of AI in the Cloud report to learn more about threats within the AI ecosystem.
Get Report
Secure all components of your software supply chain with Wiz
New challenges arise as technology advances, which require software supply chain security to constantly evolve. Keeping your software safe also requires collective responsibility, with DevSecOps teams, organizations, and end users working together.
Having the right security partners makes a big difference. That’s where Wiz comes in to help.
Wiz is the unified cloud security platform that continuously secures your software supply chain. With Wiz's Secure Cloud Development solution, organizations can immediately gain visibility into all their software components, detect supply chain risks, and receive remediation guidance.
Wiz's secure cloud development capabilities include:
Code scanning: Wiz scans your code repositories to detect potential security risks, such as vulnerabilities, misconfigurations, and policy violations.
Cloud-to-code tracing: The platform automatically traces risks in the cloud back to the code and teams that introduced them. This helps you quickly identify and fix the root cause of problems.
SBOM and image integrity: The Wiz solution generates SBOMs to track software components. Wiz also verifies software image integrity to ensure that no tampering has occurred.
GitHub connector: Wiz offers a GitHub connector that integrates with your GitHub repositories. This makes it easy to scan your code and track risks directly within GitHub.
Want to improve your security? Check out Wiz’s Secure Coding Best Practices Cheat Sheet—or watch the demo to learn how you can implement best practices today with Wiz’s cloud-native security platform.
Secure Every Stage of the SDLC
Learn how Wiz is solving security challenges of Developer and DevSecOps team.
