AJR/TechradarDev
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

docs: proofread and finalize blips for v8

Browse Source
This commit is contained in:
Stefan Rotsch
2024-06-27 10:20:01 +02:00
committed by Stefan Rotsch
parent 60f12f9549
commit 0fedaab680
40 changed files with 76 additions and 114 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
radar/2024-06-01/supply-chain-security.md
View File

@@ -7,7 +7,7 @@ tags: [devops, security]
Software supply chain security is a complex endeavor. Attack vectors range from external dependencies in source code to operating systems and tools used in build, test, and production environments. Compromise of a single stage of the supply chain may lead to compromise of the produced software and subsequently of customers that rely on it.
Over the last years, successful attacks on large software vendors have demonstrated the potential impact of such attacks. For instance, the SolarWinds Orion software was [compromised](https://en.wikipedia.org/wiki/SolarWinds#2019%E2%80%932020_supply_chain_attacks) due to an insecure password that allowed attackers to inject a backdoor into software artifacts. Several SolarWinds customers, including US federal government agencies, were compromised as a result of this attack. The [xz backdoor](https://tukaani.org/xz-backdoor/) showed that malicious parties are also stepping up their efforts to place backdoors in widely used open-source software projects in ways that are very hard to detect and prevent.
Over the last few years, successful attacks on large software vendors have demonstrated the potential impact of such attacks. For instance, the SolarWinds Orion software was [compromised](https://en.wikipedia.org/wiki/SolarWinds#2019%E2%80%932020_supply_chain_attacks) due to an insecure password that allowed attackers to inject a backdoor into software artifacts. Several SolarWinds customers, including US federal government agencies, were compromised as a result of this attack. The [xz backdoor](https://tukaani.org/xz-backdoor/) showed that malicious parties are also stepping up their efforts to place backdoors in widely used open-source software projects in ways that are very hard to detect and prevent.
Software libraries and other external dependencies are a major attack vector when building software. We use the following measures regarding external dependencies to improve supply chain security: