1 Fundamentals

This chapter covers

Learning what supply chain is and isn’t
Understanding the impacts of supply chain incidents
Comprehending the primary goals and challenges of supply chain security
Developing the high level concepts needed to help achieve the goals of supply chain security

A QA-only version of an application is deployed. A build system is hijacked to include bad code. Rogue open-source developers have written malicious code. Servers with unknown hardware installed on them are racked in a data center. These are examples of real supply chain vulnerabilities and attacks.

These attacks and vulnerabilities don’t just affect a single system, they affect multiple systems, in some cases these attacks can affect the entire Information Technology (IT) environment of an organization. They are also becoming increasingly frequent.

In 2021 there were over 12,000 supply chain security attacks recorded which was a 650% increase from the previous year.[1] Over half of organizations in a 2022 survey have been impacted by supply chain attacks.[2]

1.1 What is Supply Chain Security?

1.1.1 Securing the SDLC

1.1.2 The Bottom Turtle

1.1.3 Why “Software” Supply Chain Security?

1.2 Supply Chain Impacts

1.2.1 Origins of Software Supply Chain Security

1.2.2 SolarWinds SUNBURST Attack

1.2.3 Colonial Pipeline Ransomware Attack

1.2.4 Meltdown and Spectre Vulnerabilities

1.3 The Goal

1.3.1 Attack Against or Vulnerability in Internal Supply Chain

1.3.2 Attack Against or Vulnerability in External Supply Chain

1.3.3 General Attacks and Vulnerabilities with Consequences in the Supply Chain

1.4 The Recursive Problem

1.5 Provenance

1.6 Putting it all Together

1.6.1 Secure Software Factory and Binary Authorization

1.6.2 Applying the Practices

1.7 Summary