Software Supply-Chain Security 101

Modern software is assembled, not written. A typical application is a thin layer of your code on top of hundreds, often thousands, of open-source dependencies, each with its own dependencies. Every one of those is code you ship and run, usually without reading it.

Software supply-chain security is the practice of making sure that borrowed code is what it claims to be, isn't malicious, isn't vulnerable, and can be trusted to run in your environment.

How the supply chain gets attacked

• Malicious packages, attackers publish packages designed to steal secrets, mine crypto, or open a backdoor. They get installed via typosquatting or dependency confusion.
• Compromised legitimate packages, an attacker takes over a real, popular package (via a hijacked maintainer account or a malicious contribution) and ships malware to everyone who updates. Maintainer takeover →
• Install-time execution, many ecosystems run scripts on install, so the payload fires before your code even runs. Malicious install scripts →
• Known vulnerabilities, a dependency has a publicly-disclosed flaw (a CVE) that an attacker can exploit.

Why the old approach isn't enough

Scanning for known CVEs only catches yesterday's problems, and it floods you with alerts for issues that aren't even reachable in your app. Real defense needs three things: detection of novel threats, context to cut the noise, and a way to stop bad packages at the door.

See how Verifi does it →