The so-called software supply chain has been generating a lot of buzz these days. It came fully into the spotlight because of the global intrusion campaign where attackers used the update process of the popular Orion management software from SolarWinds to upload malicious code. Over 18,000 customers were affected, although the attackers only selectively attacked major corporations and government agencies once their backdoor was installed.
SolarWinds was probably the highest-profile supply chain attack in recent history, but there have been many others. The attack led to a reevaluation of who is responsible for security. For example, one of the major responses to the SolarWinds attack was President Biden’s Executive Order on Improving the Nation’s Cybersecurity. Among other things, the order stresses the need for supply chain security. And for the first time, a high-profile government directive specifically mentioned developers’ responsibility to deploy secure software.