How to protect your software supply chain
Your supply chain is everything that impacts what you end up running in production, which is your code, all your dependencies, and their dependencies, stuff that comes with base images for your containers, AMIs or other machine images, etc, and 3rd-party tools and libraries that you use in the pipeline.
Changes in any of the above, malicious or otherwise, can change what you’re running in production. What are the risks to that?
Supply chain attacks that compromise your application’s data or availability through changes in the application, and bugs, vandalism or acts of protest.
Three things you can do to improve your resilience to supply chain threats are: visibility – know what your dependencies are, making sure you have a process to detect new vulnerabilities in your deployed application and in new deployments, and considering to minimize your supply chain.