Software Supply Chain Security

Software Supply Chain attacks have come to the wider community’s attention following a recent high-profile attack, but have been an ongoing threat for a long time. With the ever-growing importance of free and open source software, software supply chain security is crucial, particularly in cloud native environments where everything is software-defined.

What are supply chain vulnerabilities and their implications?

The Catalog of Supply Chain Compromises provides real-world examples that help raise awareness and provide detailed information that let’s us understand attack vectors and consider how to mitigate potential risk.

On mitigating vulnerabilities

There is on-going work to establish best practices in this area. The list of types of supply chain compromises in the catalog of supply chain compromises suggests some mitigation techniques for the more well understood categories.

Supply chain security paper

STAG (Security Technical Advisory Group) has put work into a comprehensive software supply chain paper highlighting best practices for high and medium risk environments. Please check out the paper and corollary secure supply chain assessment document to learn more.

For information about contributing to the document or providing feedback, please refer to the README .

Meeting Information

• Weekly Meetings: 8:00 AM Pacific Time (US and Canada)
• Meeting Link: See CNCF calendar for invite
• Meeting Notes: Google Docs

Contact

• Lead: Marina Moore, Michael Lieberman, John Kjell
• Slack Channel: Link