Understanding and Maintaining Trust in the Software Supply Chain

A visual representation of top industrial IoT solutions showcasing connectivity and smart technology in action.
Author: Imran Khan, CRISC
Date Published: 9 July 2025
Read Time: 6 minutes

In today's digital age, software has become integral to daily life, powering everything from smartphones, cars, and general home appliances to critical infrastructure. The development and deployment of software often involves a plethora of people, processes, and technologies.

Software supply chains are essential for developing and deploying applications. However, their complexity and interconnected nature make them susceptible to security threats, undermining digital trust across the supply chain. To secure valuable data, organizations need to implement digital trust in software supply chains; however, several key challenges, vulnerabilities, and risk must be addressed to establish trust. By understanding the intricacies of digital trust, organizations can take proactive measures to secure their systems and foster confidence across the supply chain.

Understanding Software Supply Chains

A software supply chain can be defined as the network of people, organizations, processes, and technologies involved in the creation, development, and delivery of software. Essentially, the software supply chain comprises everything and everyone that develops, hosts, and executes software code. Activities in this ecosystem include:

  • Planning—This is the first step in a standard software development life cycle. The planning stage should define security features and requirements. Key considerations for software supply chains include vendor/technology selection, threat modeling, stakeholder analysis, and key business benefits (including ease of use and maintenance). 
  • Source code development—The initial software code is created.
  • Build and testing—This step includes compiling the code, integrating dependencies, and testing for vulnerabilities.
  • Code review—In a secure software development life cycle, code review should help determine whether sensitive data, including credentials, is properly protected. Checking for security in code reviews is a long-standing practice that helps bring security earlier in the development process. The goal is to catch security flaws before deployment or user acceptance testing (UAT). This step also ensures that coding best practices are followed, resulting in decreased downstream risk in the software supply chain. A proper code review should also look for input sanitization, parameter validation, output encoding, privilege escalation, and access control bypass.

    From a business point of view, security features are often treated as secondary add-ons rather than essential requirements, which can lead to higher costs, delayed product releases, and increased risk of security breaches. Furthermore, to avoid exploitation or a reportable event, it is important to ensure that error messages and logging do not contain exceedingly verbose messages.
  • Packaging and distribution—This step involves preparing the software for deployment and distributing it to end users.
  • Deployment and maintenance—This involves installing the software on systems and providing ongoing support.
  • Retirement/decommissioning—This is one of the most crucial, often overlooked, phases. It ensures the secure and orderly removal of an information system from an environment. This includes activities such as eliminating outdated, unsupported, or redundant software components, securely disposing of data, terminating access, and updating documentation—all aimed at minimizing security risk and maintaining compliance. It involves:
  • Patching/decoupling vulnerable packages, libraries, and components
  • Deactivating or retiring legacy code or unreviewed code, so that it cannot be accessed or executed (also helps preserve intellectual property)
  • Updating the software bill of materials (SBOM) to ensure that new and removed/updated components are appropriately documented
  • Updating access privileges and secrets, including encryption keys/certificates, tokens, privileged accounts credentials, etc., to ensure that they cannot be exploited

Understanding the software supply chain provides a strategic edge by enabling organizations to embed security throughout the life cycle, from planning to decommissioning. This proactive approach reduces vulnerabilities, ensures regulatory compliance, and minimizes supply chain risk, strengthening overall security and digital trust.

Recent Software Supply Chain Incidents

Third parties play a pivotal role in scaling enterprise operations, which results in a wider digital footprint and a bigger attack surface. According to the 2025 Verizon Data Breach Investigations Report (DBIR), there was a significant (100%) increase in supply chain attacks in 2025 compared to 2024, equating to 7956 incidents.1 Interestingly, the financial impact of supply chain data breaches also escalated significantly from 2024 to 2025, both in terms of average incident costs and total global damages. In 2024, the average global cost of a data breach reached US$4.88 million, marking a 10% increase compared to the previous year.2 There are several cases that exemplify the severity of these supply chain incidents.

The SolarWinds breach in 2020 was a major wakeup call to the industry.3 Hackers compromised SolarWinds’ Orion software build system to inject malicious code into updates that were distributed to tens of thousands of customers worldwide. Though this event is arguably the most influential, it was not the only one of its kind.

In 2021, the Log4J vulnerability came as a shock for industries that depended heavily on third-party developed software, where the use of Java is common.4 Apache Log4j is a widely used open-source logging library, embedded in the code of many commercial software packages. The vulnerability exploited allowed attackers to execute arbitrary code on systems, which led to data breaches and system compromises. One of the earliest known discoveries of this exploit was in a gaming chat room. The vulnerability did not require authentication or special privileges, so attackers wasted no time exploiting the insecure system. It offered malicious actors a clear path to deliver ransomware, engage in data theft, or otherwise infiltrate past organizational defenses. This vulnerability highlighted the challenges of managing and securing open-source components in a software supply chain.

Understanding the software supply chain provides a strategic edge by enabling organizations to embed security throughout the life cycle, from planning to decommissioning.

In a 2024 disclosure, Kaspersky announced that malicious packages containing JarkaStealer, a malware designed to exfiltrate sensitive information from infected systems, were distributed via Python Package Index (PyPI), a popular repository for Python developers.5 With an increasing shift towards data analytics popularization and wide adoption of artificial intelligence (AI)/machine learning (ML), Python has resurfaced from a bygone ‘90s era to reclaim its prominence in the modern computing environment. Python’s simplicity, extensive libraries, versatility, and platform-agnostic nature make it the go-to language for AI/ML development.

In 2025, The Lazarus Group, a North Korean state-sponsored hacking group, targeted the software supply chain as part of its ongoing cyberoperations (Operation Marstech Mayhem).6 In this operation, the group targeted open-source code repositories such as GitHub, npm, and PyPI. The Lazarus Group is notoriously famous for its sophisticated tactics, techniques, and procedures (TTPs) and has been involved in various high-profile cyberattacks, including the 2014 Sony Pictures hack, the WannaCry ransomware attack, and numerous cryptocurrency heists.7

These breaches continue to escalate in both sophistication and severity, representing just the tip of the iceberg. A comparative summary is provided in figure 1.

Figure 1—Comparison of Supply Chain Breaches

Year Breach Name Root Cause Threat Actor Attack Vector Impact Est. Cost (USD)
2017 WannaCry EternalBlue exploit (unpatched server message block [SMB] vulnerability) Lazarus Group Ransomware Global disruption US$4 billion+
2020 SolarWinds Malicious code injected into SolarWinds’ Orion updates APT29 (allegedly) Compromised build system Global disruption,
impacting government
and private
organizations

Led to data exfiltration
from US government
and major enterprises
US$100 million+
2021 Log4j Vulnerability Unauthenticated zero-day remote code execution (RCE) flaw in Apache Log4j library (CVE-2021- 44228) due to insecure Java Naming and Directory Interface (JNDI) lookups Unknown Logging library exploited via input strings Remote code execution,
ransomware, and
data theft

Tens of thousands of
organizations impacted
globally (e.g., Apple,
Amazon Web Services
[AWS], VMware,
Minecraft, various
financial services and
healthcare firms)
US$1 billion+
(mitigation and
patching)
2024 JarkaStealer Malware as a service (MaaS) for stealing credentials Unknown Email and malicious software packages Credential theft
primarily of
financial services
Not available;
this is an
ongoing campaign

Supply Chain Vulnerabilities

These examples are not meant to raise alarm but to make organizational leaders aware that digital trust in the software supply chain is paramount, and that the loss of trust can occur at any point in the software supply chain, thus undermining the confidentiality, integrity, and availability (CIA) of software and systems. Recent software supply chain incidents underscore the fragility of the software supply chain, which arises from:

  • Overreliance on third-party components—Many organizations depend on external libraries, tools, and services without fully understanding their security posture.
  • Lack of visibility—Organizations often lack visibility in their software dependencies, leading to undetected risk.
  • Complexity—Modern software development involves numerous interconnected components, increasing the attack surface.
  • Targeting weak links—Attackers focus on compromising widely used components or tools to maximize their impact.
  • Rise of AI—AI-generated code poses an emerging threat as it may be exploited by malicious actors. Even the legitimate use of AI-generated code is questionable, as it may introduce vulnerabilities and malicious elements missed by traditional code reviews.8
Organizations are encouraged to align with guidance such as ISACA’s COBIT objectives to develop defensible, audit-ready approaches to software assurance and supply chain security.

The consequences of a compromised software supply chain can be severe, ranging from data breaches to financial loss incurred by the organization. When comparing supply chain compromises to other types of attacks, the costs and implications can be significantly higher, for several reasons:

  • Operational disruption—Critical systems may be compromised, leading to downtime and business disruption. An example is the SolarWinds breach, which also impacted government systems.
  • Legal and regulatory consequences—Organizations may face legal penalties and regulatory fines. Consider the 2017 Equifax breach, which resulted in multimillion-dollar fines by regulators in the European Union, North America, and the United Kingdom, along with scores of consumer lawsuit settlements.9
  • Reputational damage—This is perhaps the most difficult area to quantify in a standard risk assessment exercise. However, organizations that have experienced breaches leading to reputational damage are better equipped to incorporate lessons learned from historical events into their future risk assessments. A notable example is the infamous data breach of Target, a major US retail giant.10 The breach originated from a third-party heating, ventilation, and air conditioning (HVAC) vendor that eventually compromised its point of sale (POS) devices. This breach led to significant reputational harm and a decline in sales.

Mitigating the Risk of Supply Chain Attacks

Risk is omnipresent. However, organizations can undertake several strategies to reduce their potential impact on business operations if/when a risk materializes. Similarly, to mitigate the risk associated with trust erosion in software supply chains, organizations should implement a comprehensive security strategy that includes a number of best practices.

Code signing and artifact verification can be implemented to ensure the integrity of software components. In 2017, the US Federal Financial Institutions Examinations Council (FFIEC) in its Cybersecurity Assessment Tool (CAT) inserted the control requirement that software code executables and scripts must be digitally signed to confirm the software author and guarantee that the code has not been altered or corrupted.11 It is worth noting that the tool will be sunset on 31 August 2025.12

Similarly, ISACA® publications on secure DevOps practices highlight the need for continuous integration of code assurance, automated security testing, and artifact verification across the software life cycle. COBIT’s governance objectives, particularly areas such as BAI03 Manage Solutions Identification and Build and DSS05 Manage Security Services, emphasize the importance of verifying software sources and protecting against unauthorized code execution as part of robust IT governance and control practices.13 Organizations are encouraged to align with guidance such as ISACA’s COBIT objectives to develop defensible, audit-ready approaches to software assurance and supply chain security.14

Furthermore, the US National Institute of Standards and Technology (NIST) inserted a similar requirement in its Cybersecurity Framework (CSF) 2.0, appropriately placing it under the Protect function.15 Leading intelligence organizations, including the US National Security Agency (NSA) and Australian Signals Directorate (ASD), caution organizations against using full application signing (a cryptographic process used to verify the authenticity and integrity of software, scripts, or executables), as there are significant costs associated with implementing and maintaining such controls.16 Applications/component whitelisting is an explicit mention of allowed code execution. Altered/malicious code will not execute. One may consider implementing off-the-shelf software for application allowlisting.

Practical Recommendations

In today's evolving cybersecurity landscape, securing the software supply chain is a critical priority. Certain measures can help organizations proactively identify vulnerabilities, reduce third-party risk, and strengthen overall software integrity.

SBOM/SSDLC
Security and engineering leaders can mandate thorough documentation of software builds and components to track and manage software components with a rigorous maintenance process. This will provide essential visibility into dependencies and enable faster vulnerability response.

The secure software development life cycle (SSDLC) extends beyond custom code to include pre-built software, updates, upgrades, and the generation and maintenance of a SBOM, embedding security at every stage. While SSDLC can be resource-intensive, it significantly reduces downstream risk. Automated scanning of open-source and external libraries, disciplined code reviews, and comprehensive SBOM management are nonnegotiable practices to detect defects and malicious code early. Leadership must set the tone that these controls are not about distrust but about ensuring integrity, resilience, and accountability in software delivery.

Vendor Risk Management
Many breaches can be attributed to compromised third parties. To mitigate the risk of compromise, organizations should conduct thorough due diligence on all third-party vendors and draft unambiguous contractual agreements for security requirements for each vendor, including, but not limited to, the vendor committing resources for onsite and offsite inspections (right to audit clause). Vendors providing critical services such as software and data processing should also agree to implement enhanced controls such as multifactor authentication (MFA), continuous vulnerability monitoring, secure browsing, microsegmentation, etc.

User Monitoring
In addition to traditional monitoring of user access to applications, servers, and data, organizations should implement tools to detect unusual changes in code or dependencies. Organizations tend to treat the non-production (development/UAT) environment as a lower priority, while the emphasis of implementing security controls is generally placed on production and pre-production environments.

Threat Intelligence
Threat intelligence plays a vital role in keeping an organization ahead of developments happening in the industry in real time. This function can leverage many intelligence vendors and industry forums (e.g., Financial Services Information Sharing and Analysis Center [FS-ISAC], Health Information Sharing and Analysis Center [Health-ISAC], Water Information Sharing and Analysis Center [WaterISAC]). Moreover, threat intelligence can be used to monitor suspicious activities in the software supply chain.

Stakeholder Education
It is crucial to educate developers and stakeholders about secure coding practices and supply chain risk to align with secure development frameworks such as Microsoft’s Security Development Lifecycle (SDL) and NIST’s Secure Software Development Framework (SSDF).17

Conclusion

The software supply chain is indispensable to digital life. Software drives innovation, competitiveness, and even national security; as such, maintaining digital trust in the software supply chain is no longer optional. To preserve this trust, organizations must go beyond reactive security and embed proactive, continuous risk management into every stage of the software life cycle, from sourcing open-source components to deploying third-party integrations. Transparency, verifiability, and accountability must become foundational principles. This means adopting secure practices, implementing SBOMs, conducting rigorous supplier due diligence, and continuously monitoring for emerging threats.

Building a trusted supply chain does not rest on the shoulders of technical and functional teams alone. It is a leadership imperative. Leaders, developers, procurement officers, and legal and compliance teams must work collaboratively to create a culture where security is treated as a shared responsibility. Digital trust requires vigilant defense and diligent preservation.

Endnotes

1 Verizon, 2025 Data Breach Investigations Report, 2025 
2 Thomson Reuters, “The Cost of Data Breaches,” 11 December 2024
3 Knake, R.K.; “Why the SolarWinds Hack Is a Wake-Up Call,” Council on Foreign Relations, 9 March 2021
4 Rafalski, K.; “Is Java Still Used? Current Trends and Market Demand in 2025,” Netguru, 1 March 2025
5 GReAT; “JarkaStealer in PyPI Repository,” Kasperksky, 21 November 2024
6 Muncaster, P.; “North Korea Targets Crypto Devs Through NPM Packages,” InfoSecurity Magazine, 13 February 2025
7 MITRE ATT&CK, “Lazarus Group” 
8 Perry, N.; Srivastava, M.; et al.; “Do Users Write More Insecure Code with AI Assistants?,” arXiv, 2023
9 BBC, “Equifax to Pay up to $700m to Settle Data Breach,” 22 July 2019
10 Young, K.; “Cyber Case Study: Target Data Breach,” CoverLink Insurance, 13 September 2021
11 Federal Financial Institutions Examination Council, “Cybersecurity Assessment Tool” 
12 Waldman, J.; “The FFIEC CAT Tool's 9th Life: What Financial Institutions Need to Know About Its Sunset,” SBS Cybersecurity, 30 August 2024
13 ISACA®, COBIT®, USA, 2018
14 ISACA, COBIT
15 National Institute of Standards and Technology, “Cybersecurity Framework,” USA
16 National Defense ISAC, “Code Signing
17 Microsoft, “Microsoft Security Development Lifecycle (SDL),” ; National Institute of Standards and Technology, “Secure Software Development Framework,” USA

Imran Khan, CRISC, CISSP

Is an expert in information security program and project management, regulatory compliance, and governance, risk, and control (GRC). Khan brings a wealth of experience from highly regulated industries including financial services, life sciences, and healthcare. He is a key member of the security team at a multinational financial services enterprise and a principal consultant at IMNAD.

Additional resources