Build tools are another category that is easy to overlook when thinking about the software supply chain. This includes developers’ editors, plugins, compilers, utilities, and anything else used in building an application. In airplane manufacturing, for example, the supply chain includes the seats, engines, rivets, and other parts that are assembled into an airplane, but it also includes the wrenches, rivet guns, scaffolding, and anything else that is used during the assembly of the airplane.
Deployment of an application is also part of the software supply chain. Nowadays many applications are deployed into containers, so the same questions apply to software supply chain security. How are container images selected? What types of risk assessment have been done or need to be done? And just as important, where are the container images coming from? Can you trust the repository?
The software supply chain might be bigger than you thought, but the solution is a comprehensive approach to security. Nobody talks about airplane manufacturing separate from safety—every design decision, every selection of parts, every phase of airplane manufacturing has an undercurrent of safety. Similarly, security and software are becoming inextricably entwined. The process that leads from application design through implementation, deployment, and maintenance must have security infused at every phase.
Managing risk in the software supply chain is challenging but important. Software risk is business risk. Using a holistic approach to reducing risk in the software supply chain provides solid benefits in building trust in software.