The software supply chain comprises everything that touches an application or plays a role in its assembly, development, or deployment. This includes proprietary and open source code, components built by your development team as well those provided by third parties, APIs and cloud services employed by your software, and the infrastructure used to build and deliver that software to the end user.
The final product—and its users—is affected by every component, person, activity, material, and procedure involved in the process. Weaknesses anywhere can introduce risk everywhere, and the only way to mitigate this risk is to understand everything that's in the supply chain.
This guide details several key considerations for securing the software supply chain. On a fundamental level, it explains how to secure applications from upstream risk and how to prevent your organization from generating downstream risk.
Key considerations for securing your software supply chain include