SUPPLY CHAİN ATTACKS

Abstract

The interconnected nature of modern software results in a complex software supply chain, encompassing various elements such as binaries, libraries, tools, and microservices. These components are essential for contemporary software development and are sourced from both open-source and proprietary channels. According to (O’Donoghue, Reinhold, and Izurieta 2024), the software supply chain's complexity has made it increasingly vulnerable to cyberattacks, presenting a significant threat. This vulnerability is heightened by the extensive dependencies within a vendor’s product, where a flaw in one component can affect multiple products. Furthermore, software supply chains have vast attack surfaces, as weaknesses in external transitive dependencies can compromise the integrity of the core system.

To combat these challenges, (O’Donoghue, Reinhold, and Izurieta 2024) identify the Software Bill of Materials (SBOM) as a promising tool. When combined with appropriate analysis instruments, SBOMs can effectively identify and neutralize security risks within software supply chains. In their study, they utilized Trivy and Grype—two open-source tools—to scrutinize the security of 1,151 SBOMs collected from third-party software repositories that vary in scope and size. Their investigation sought to understand the prevalence and distribution of vulnerabilities within these SBOMs and identify which software components are most at risk. Their findings underscore the looming danger of supply chain vulnerabilities in software and advocate for the effectiveness of utilizing SBOMs to reinforce software supply chain security.