> Today’s software is largely assembled rather than written, and most of the assembly comes from open source components. The creation of components and their inclusion into applications creates a “supply chain” just like in conventional manufacturing. While physical supply chains have well established chains-of-custody to establish properties like refrigeration maintenance, authenticity or spoilage avoidance, the software supply chain is very much a wild, wild west, filled with vulnerabilities that can be (and are) inadvertently inserted into applications. As supply chain risk and mitigations are being explored by government and academia, a larger attack surface is being uncovered that needs to be addressed.
Also applies to software supply chains:
https://www.platformsecuritysummit.com/2019/speaker/sherman/
> Today’s software is largely assembled rather than written, and most of the assembly comes from open source components. The creation of components and their inclusion into applications creates a “supply chain” just like in conventional manufacturing. While physical supply chains have well established chains-of-custody to establish properties like refrigeration maintenance, authenticity or spoilage avoidance, the software supply chain is very much a wild, wild west, filled with vulnerabilities that can be (and are) inadvertently inserted into applications. As supply chain risk and mitigations are being explored by government and academia, a larger attack surface is being uncovered that needs to be addressed.