Defending against supply chain attacks
From SolarWinds to xz-utils, supply chain compromise is now a top-tier risk — here is how to harden your software bill of materials and vendors.
Supply chain attacks compromise the trusted relationship between a vendor and customer. The 2020 SolarWinds Orion incident affected 18,000 organizations, the 2024 xz-utils backdoor (CVE-2024-3094) was an attempted compromise of upstream OpenSSH dependencies, and recurrent npm and PyPI typosquatting drops malicious packages onto developer laptops weekly. The attacker reaches you not by breaching your perimeter but by riding code or hardware you already trust.
Defense starts with software bill of materials (SBOM). Every build pipeline should produce a CycloneDX or SPDX SBOM listing direct and transitive dependencies with versions and license information. Tools like Syft, CycloneDX CLI, and the npm sbom command generate SBOMs in seconds. Store SBOMs alongside artifacts and ingest them into a vulnerability scanner — Dependency-Track, OWASP Dep-Scan, or Snyk — that correlates against the OSV.dev and NVD feeds in real time. When the next critical CVE drops, a query tells you within minutes which products are exposed.
Reduce trust scope with package pinning, hash verification, and reproducible builds. Lockfiles (package-lock.json, poetry.lock, go.sum) must be committed and CI must fail on drift. Use private registries (JFrog Artifactory, GitHub Packages, AWS CodeArtifact) as proxies that cache and quarantine packages. Sign your own artifacts with Sigstore cosign and verify signatures at deployment using policy engines like OPA or Kyverno. SLSA (Supply-chain Levels for Software Artifacts) framework levels 1 through 4 give a maturity ladder.
Vendor risk management closes the human side. Maintain a tiered vendor inventory with last-audit dates. For tier-1 vendors — your payroll provider, code signing CA, identity provider — require SOC 2 Type II reports yearly, review subprocessor lists, and contractually mandate breach notification within 72 hours. The Cyber Security Center of Azerbaijan publishes advisories on local supply chain incidents; subscribe to their and CISA feeds and route alerts to a named on-call engineer.
Related reading
Phishing attack types: from bulk email to MFA-bypass kits
Phishing has evolved from typo-ridden emails to AI-cloned voices and Adversary-in-the-Middle proxies — defenders must keep up with each variant.
Ransomware incident response playbook
When ransomware hits at 03:00, you do not have time to think — you execute. Here is a tight playbook calibrated for the modern double-extortion era.
Zero-day vulnerabilities: how to manage what you cannot patch
A zero-day has no patch — yet defenders are not helpless. Layered controls, virtual patching, and threat intel reduce the blast radius until a fix arrives.