Blog series Understanding the Value of Software Supply Chain Security 2 Blogposts

Part 1: Attack vectors

There is generally a lot less awareness of Software Supply Chain Security in the contemporary IT landscape and thus its aspects are completely ignored by DevSecOps practices. In this two-part article, I aim to provide an overview of what software supply chain is, what attack vectors you render yourself vulnerable to when not including these aspects in your pipelines and how you can reduce your attack surface area using various tools / frameworks / guidelines like SLSA, sigstore, in-toto, SBOM, TUF, OpenSSF etc. We will also shed light on how the open source community as a whole is combating this threat.


Amulya Bhatia

Part 2: Tools in your arsenal

In the first part we discussed software supply chain in general, which possible attack vectors exist and what actions are being taken by the community but rather in an isolated manner. In this part, I’ll line out specific actions which can be taken in an organized manner and which tools/framework/guidelines can be useful along this way.


Amulya Bhatia