How to Maintain Software Supply Chain Security

April 17th, 2025

Software supply chain security has never been more important. As dev teams increasingly rely on third-party components, open-source libraries, and external vendors, attackers evolve their methods to exploit weaknesses in the software supply chain. Techniques such as dependency hijacking and CI/CD pipeline targeting have become significant, affecting businesses of all sizes.

In this article, we’ll examine the rise of software supply chain attacks, why they are increasing, the factors that enable them, and the best practices you can implement to keep your software supply chain secure.

What are software supply chain security and software supply chain attacks?

Software supply chain security is all about protecting the components, processes, and practices of building and deploying software. This includes third-party and proprietary code, deployment methods, infrastructure, interfaces, protocols, developer practices, and the tools used throughout. Organizations must secure these elements and demonstrate their security efforts to customers, partners, and regulators.

A software supply chain attack happens when attackers compromise a third-party vendor, open-source component, or software dependency to gain access to applications and systems. It’s especially insidious because instead of going after a company’s infrastructure directly, they target the trusted components developers rely on.

Why is it risky to rely on third-party components?

It’s easy to focus on simply securing your source code with SAST or code obfuscation. And while those are both important, they’re only part of the equation. Today’s applications rely heavily on third-party components, open-source libraries, and vendor software, and all of those things can introduce serious security risks if not properly vetted.

Many organizations blindly trust third-party vendors, assuming their security measures are solid. But that assumption can lead to unforeseen gaps:

Vendors aren’t always secure. Smaller vendors often lack strong security practices, vulnerability management, or compliance enforcement.
A single compromise can impact thousands. If a widely used open-source package is compromised, attackers gain access to every application that integrates it.
Certifications ≠ security. Compliance does not guarantee security—certifications like SOC 2 do not mean a vendor’s software is free of vulnerabilities.

The bottom line is that you’re responsible for securing what you bring into your dev environments. Even trusted third-party components need a watchful eye, continuous monitoring, and thorough risk assessments.

Software supply chain attacks are on the rise

Not long ago, enterprises built applications with code they wrote. Today, the majority of applications utilize open-source packages and third-party components. While third-party code speeds up development, it also introduces security risks like vulnerabilities, licensing issues, and the potential for malicious actors to inject harmful code into dependencies.

The rise of AI-generated code, cloud-native architectures, and automated CI/CD pipelines has only added to the complexity. A single weakness in a third-party dependency can allow an attacker to move through the entire supply chain.

The cost and impact of software supply chain attacks

According to IBM’s Cost of a Data Breach Report 2024, the average cost of a supply chain compromise is $5.1 million, nearly 5% higher than breaches that did not target the supply chain .
By 2031, software supply chain attacks are projected to cost $137.7 billion—more than double the $51.8 billion in 2024.
The number of software packages affected by supply chain attacks skyrocketed from 700 in 2019 to over 185,000 in 2022—an increase of 260 times.
This year (2025), Gartner predicts that 45% of organizations worldwide will experience a software supply chain attack—three times the rate seen in 2021.
In 2025, it is projected that 60% of supply chain organizations and their Chief Supply Chain Officers (CSCOs) will consider cybersecurity risk a primary factor in digital supply chains, third-party transactions, and business engagements. (Source)

Regulations impacting software supply chain security

Regulations like GDPR, PCI DSS, NIST SSDF, and the EU CRA all emphasize the necessity of securing third-party dependencies and preventing supply chain attacks. If your projects fall under these regulations, you must actively monitor software supply chains and document compliance efforts.Interestingly, many of these frameworks recommend using software composition analysis (SCA) and maintaining a software bill of materials (SBOM)—precisely where Kiuwan can help.

Regulation	Why it matters	Impact	Requirement
General Data Protection Regulation (GDPR)	Requires data security for companies processing EU citizen data, extending to third-party software providers and dependencies.	Organizations must vet third-party vendors to ensure strong security measures and prevent unauthorized access to personal data.	Failing to secure the supply chain can lead to a third-party breach that exposes personal data, resulting in fines of up to €20 million or 4% of annual revenue.
Payment Card Industry Data Security Standard (PCI DSS 4.0)	Applies to any company handling credit card transactions and enforces strict software security requirements.	Organizations must secure third-party software providers, enforce strong encryption, and track dependencies in payment processing applications.	Software must be regularly tested for vulnerabilities, and security measures must extend to all third-party integrations.
NIST Secure Software Development Framework (SSDF) & NIST 800-161	Provides guidelines for securing the software supply chain, particularly for organizations contracting with the U.S. government.	Companies must maintain a Software Bill of Materials (SBOM) and assess vendor risks before using third-party software.	Federal agencies and contractors must comply with NIST SSDF to ensure software integrity.
Executive Order 14028 (U.S. Federal Supply Chain Security Initiative)	Issued in 2021, this U.S. executive order enhances supply chain security for software used by government agencies.	Companies selling software to the federal government must meet strict security guidelines, including SCA scanning, vulnerability tracking, and SBOM management.	Software vendors must prove supply chain security efforts through documentation and audits.
EU Cyber Resilience Act (CRA)	Introduces strict cybersecurity requirements for software and hardware manufacturers in the European Union.	Vendors must actively monitor software components, fix vulnerabilities promptly, and disclose security risks.	Products must be secure by design, and vendors must maintain end-to-end security oversight of their entire supply chain.
ISO/IEC 27001	A globally recognized information security management standard.	Organizations must assess third-party risks, implement continuous monitoring, and enforce security policies across their software supply chain.	Companies must integrate supply chain security into their overall security risk management framework.
U.S. SEC Cybersecurity Disclosure Rules (2023)	U.S. public companies must disclose cybersecurity risks, including risks from third-party software.	Companies must report on supply chain security practices and disclose breaches linked to third-party dependencies.	Failure to secure the supply chain may result in regulatory action and investor scrutiny.

Recent software supply chain attacks

Supply chain attacks are already disrupting businesses, governments, and infrastructure.

One of the best examples is the SolarWinds attack that happened in 2020 when criminals compromised a routine software update for Orion, SolarWinds’ IT management platform. Attackers infiltrated 18,000 customers, including corporations and government agencies, by embedding a backdoor into an update plugin.

What made this attack particularly alarming was its impact, affecting energy providers, manufacturers, and supply chain stability. This shows exactly how a single compromised software vendor could risk entire industries. The repercussions are still felt today, underscoring the urgent need for rigorous software supply chain security measures.

Other notable software supply chain attacks

The SolarWinds attack was a wake-up call, but it is far from the only incident. Here are several other breaches that reveal just how vulnerable a software supply chain can be.

Kaseya VSA ransomware attack (July 2021)

Attackers exploited a zero-day vulnerability in Kaseya’s remote IT management software, compromising its update mechanism.
The REvil ransomware gang used the breach to distribute malware through managed service providers (MSPs), infecting over 1,500 businesses globally.
This attack highlighted how trusted IT tools can become powerful vectors that spread ransomware downstream through entire supply chains.

MOVEit Transfer breach (2023-2024)

The Clop ransomware gang exploited a vulnerability in MOVEit Transfer, a widely used file transfer tool.
Over 2,500 organizations, including banks, universities, and government agencies, suffered data theft as attackers exfiltrated millions of sensitive records.
The incident demonstrated how just one vulnerable third-party tool can wreak havoc on entire industries..

XZ Utils backdoor attack (March 2024)

A malicious maintainer inserted a stealth backdoor into XZ Utils, a popular data compression library used in many Linux distributions.
The backdoor went undetected for nearly two years, revealing the risks of trusting open-source maintainers without rigorous vetting.
This attack proved that even foundational open-source utilities can be silently weaponized against organizations.

PyPI package hijack (February 2024)

Attackers took over an abandoned Python Package Index (PyPI) module, injecting Nova Stealer malware into the package.
Developers unknowingly integrated the compromised package into their applications, exposing users to credential theft and data breaches.
This attack reinforced the need to continuously monitor third-party dependencies, especially in open-source ecosystems.

Revival hijack attack (September 2024)

Attackers re-registered deleted PyPI package names, potentially hijacking 22,000+ previously trusted packages.
Developers who relied on outdated package names unknowingly introduced malware into their applications.
This incident showed how unmaintained or deleted dependencies create security blind spots.

Trojanized jQuery library (July 2024)

Attackers uploaded 68 fake jQuery packages to popular open-source repositories, embedding malware in the “end” function.
Organizations unknowingly integrated the compromised jQuery versions into web applications, exposing themselves to data theft and malicious script execution.
This attack demonstrated how even widely trusted libraries can be weaponized if security controls are lax.

How do I protect my applications from a software supply chain attack?

Software supply chain attacks exploit hidden weaknesses in third-party dependencies, open-source components, and CI/CD pipelines. To reduce risk, organizations must proactively secure their development processes—front to back, start to finish. The following tips describe how organizations can strengthen their defenses to prevent software supply chain attacks.

Maintain a software bill of materials (SBOM)

An SBOM provides visibility into all third-party and open-source components within your software, helping you track dependencies, enforce security policies, and identify vulnerabilities before attackers exploit them. SBOM adoption is increasingly mandated by regulatory bodies, ensuring compliance while reducing security risk.

Maintain an updated inventory of all software components.
Identify vulnerabilities and outdated dependencies early.
Ensure compliance with evolving security regulations.

Secure third-party & open-source dependencies

Third-party code is a major attack vector. Organizations must proactively manage risks by scanning for vulnerabilities, verifying component integrity, and ensuring that external dependencies are properly secured.

Use software composition analysis (SCA) to detect vulnerabilities in real-time.
Implement dependency signing and private package management.
Encrypt sensitive data in transit and at rest.

Assess & monitor vendor security

Vendor security cannot be assumed. Even SOC 2 or ISO 27001-certified vendors may have vulnerabilities. Organizations must conduct continuous risk assessments to ensure all suppliers follow strong security practices.

Evaluate vendors’ security policies and patching practices.
Require vendors to provide proof of encryption and access management.
Continuously monitor third-party risks and compliance.

Implement security throughout the SDLC

Security must be integrated into the entire development lifecycle (SDLC) to prevent vulnerabilities from reaching production. A secure SDLC ensures that software is built with security in mind from the start.

Enforce secure coding standards and peer code reviews.
Use SAST and automated penetration testing in CI/CD pipelines.
Apply threat modeling and risk assessments at every stage.

Protect the development environment

Attackers are attracted to pre-production environments and can exploit misconfigured development tools to insert malicious code before deployment. Organizations must lock down development environments to prevent unauthorized access.

Secure cloud-based development workstations with centralized controls.
Enforce network segmentation to limit lateral movement.
Implement data loss prevention (DLP) to prevent data leaks.

Harden CI/CD pipelines & secure software distribution

CI/CD pipelines introduce security risks, such as poisoned builds and unauthorized modifications. Securing CI/CD workflows and software distribution ensures that deployed software is trusted and tamper-proof.

Implement code signing to verify software authenticity.
Use role-based access control (RBAC) to prevent unauthorized pipeline changes.
Validate software integrity with checksums and cryptographic signing.

Monitor & secure code repositories

Repositories store critical source code and artifacts, making them prime targets for attackers. Without strict access controls, malicious actors can inject compromised code into production.

Apply the principle of least privilege to repositories.
Use secure artifact repositories (e.g., JFrog, AWS CodeArtifact).
Enforce immutable builds to prevent unauthorized changes.

Plan for incident response & supply chain disruptions

Even with strong defenses, breaches can occur. A robust incident response plan (IRP) ensures organizations can quickly detect, contain, and remediate supply chain security incidents.

Develop a rapid containment and remediation strategy.
Conduct regular security drills and tabletop exercises.
Perform root cause analysis to prevent future attacks.

Reduce human risks in the software supply chain

Software supply chain attacks are technical, but they also involve social engineering, insider threats, and credential theft. Developers and DevOps teams need training to recognize and prevent these attacks.

Train teams to identify phishing attempts and credential leaks.
Enforce multi-factor authentication (MFA) across development environments.
Continuously monitor for anomalous developer activity.

How Kiuwan strengthens software supply chain security

Kiuwan provides end-to-end visibility into the software supply chain, helping organizations identify, manage, and remediate risks from open-source and third-party code. By integrating Software Composition Analysis (SCA) and Static Application Security Testing (SAST), Kiuwan ensures that both third-party and proprietary code remain secure, compliant, and free of vulnerabilities.

Discover, map, and assess risks in all open-source packages, including transitive dependencies, typosquatting, and other threats.
Prioritize remediation efforts using reachability analysis, SAST correlation, and exploitability assessments to focus on the most critical vulnerabilities.
Embed security into development workflows by integrating with CI/CD pipelines, IDEs, and DevOps processes.
Ensure compliance and security policy enforcement with SBOM component creation and open-source license risk detection.
Provide actionable guidance to security teams and developers for fast, effective risk mitigation and proactive software supply chain defense.

Your software supply chain is only as secure as its weakest link, and attackers are constantly on the lookout for an opening. Request a free demo of Kiuwan today and learn how you can help secure your software supply chain against emerging threats.