In depth
Software supply chain security is the discipline of protecting every stage at which adversaries could inject malicious code into software before it reaches end users: the source repository, the build environment, third-party and open-source dependencies, the artefact registry, the signing infrastructure, and the delivery channel. The threat moved from theoretical to existential after SolarWinds (2020), Codecov (2021), Kaseya (2021), the npm event-stream and ua-parser-js incidents, the xz-utils backdoor (2024), and the steady drip of typosquatted-package campaigns on PyPI, npm and crates.io.
The defensive frameworks now in mainstream adoption are SLSA (Supply-chain Levels for Software Artefacts, pronounced "salsa") — a Google-originated, OpenSSF-stewarded maturity model with four levels from "documented build process" up to "two-party reviewed, hermetic, reproducible builds" — and the NIST Secure Software Development Framework (SSDF, SP 800-218), which US federal software suppliers have been required to attest compliance with since 2022. Both frameworks lean heavily on SBOM generation, artefact signing (Sigstore/cosign, in-toto attestations), provenance metadata, and reproducible builds.
At the technical layer, modern supply chain controls include: dependency pinning by cryptographic hash (lockfiles, not floating versions); a private dependency registry that proxies upstream and caches every package version that has ever been used; SCA scanning gated to fail the build on critical CVEs; build environments running on ephemeral runners with no long-lived credentials; provenance attestations generated automatically and verified at deploy time; VEX documents shipping alongside the SBOM; and a CISA-style Known Exploited Vulnerabilities watchlist that escalates rather than queues.
The regulatory backdrop is now firmly behind these controls. EU Cyber Resilience Act, US Executive Order 14028, the Australian Essential Eight, and India's CERT-In direction on supply-chain security have all moved supply-chain hygiene from "nice to have" to "audit finding if missing." See supply chain attacks 2026 and VAPT services.
The defensive frameworks now in mainstream adoption are SLSA (Supply-chain Levels for Software Artefacts, pronounced "salsa") — a Google-originated, OpenSSF-stewarded maturity model with four levels from "documented build process" up to "two-party reviewed, hermetic, reproducible builds" — and the NIST Secure Software Development Framework (SSDF, SP 800-218), which US federal software suppliers have been required to attest compliance with since 2022. Both frameworks lean heavily on SBOM generation, artefact signing (Sigstore/cosign, in-toto attestations), provenance metadata, and reproducible builds.
At the technical layer, modern supply chain controls include: dependency pinning by cryptographic hash (lockfiles, not floating versions); a private dependency registry that proxies upstream and caches every package version that has ever been used; SCA scanning gated to fail the build on critical CVEs; build environments running on ephemeral runners with no long-lived credentials; provenance attestations generated automatically and verified at deploy time; VEX documents shipping alongside the SBOM; and a CISA-style Known Exploited Vulnerabilities watchlist that escalates rather than queues.
The regulatory backdrop is now firmly behind these controls. EU Cyber Resilience Act, US Executive Order 14028, the Australian Essential Eight, and India's CERT-In direction on supply-chain security have all moved supply-chain hygiene from "nice to have" to "audit finding if missing." See supply chain attacks 2026 and VAPT services.