There is generally a lot less awareness of Software Supply Chain Security in the contemporary IT landscape and thus its aspects are completely ignored by DevSecOps practices. In this two-part article, I aim to provide an overview of what software supply chain is, what attack vectors you render yourself vulnerable to when not including these aspects in your pipelines and how you can
reduce your attack surface area using various tools / frameworks / guidelines like
SLSA,
sigstore,
in-toto,
SBOM,
TUF,
OpenSSF etc. We will also shed light on how the open source community as a whole is combating this threat.