• blogangle-right
  • Software Supply Chain Security: Why Your Organization Must Protect Its Software Supply Chain in 2025

Table of Contents

Software Supply Chain Security: Why Your Organization Must Protect Its Software Supply Chain in 2025

  • March 20, 2025
Author

Anna Fitzgerald

Senior Content Marketing Manager

Reviewer

Rob Gutierrez

Senior Cybersecurity and Compliance Manager, CISA, CCSK, CMMC RP

Attacks on both open source code and commercial-software vendors have grown, despite increased media attention to the problem of software supply chain security and concerted efforts by regulatory bodies and government agencies to promote supply chain security, according to ReversingLabs’ 2025 Software Supply Chain Security Report.

With cyber threats increasingly targeting vulnerabilities in third-party software, open-source components, and development pipelines, software supply chain security is more critical than ever. A compromised software supply chain can lead to devastating breaches, data theft, and operational disruptions.

This blog explores what software supply chain security entails, how to enhance it using guidance from NIST, best practices—including automation—and the role of supply chain security software and tools.

What is software supply chain security?

Software supply chain security refers to the practices and technologies used to identify third-party susceptibilities, vulnerabilities, and threats throughout the software supply chain and protect the entire lifecycle of software development and distribution. Mitigation strategies include securing code repositories, build environments, dependencies, deployment processes, and third-party risk management and integrations to prevent tampering, vulnerabilities, or unauthorized access.

Software supply chain risks include:

  • Compromised open-source libraries and dependencies
  • Malware injection during software builds
  • Unauthorized access to source code repositories
  • Exposed sensitive software secrets like embedded and plaintext credentials and API tokens in commercial software binaries
  • Known and exploitable or patch-mandated vulnerabilities in third-party tools and services, particularly in older software packages
  • Unvetted third-party vendors

Let’s take a look at why software supply chain security matters below. 

6 examples of software supply chain risk represented by text and icons

The importance of securing the software supply chain

Securing the software supply chain is essential for maintaining business continuity, data protection, and regulatory compliance. Here are key reasons why organizations should prioritize supply chain security:

  • Prevent cyberattacks: Threat actors target software supply chains to inject malicious code, leading to widespread breaches. Securing the software supply chain can prevent these breaches
  • Protect sensitive data: Ensuring security across the supply chain reduces the risk of unauthorized data access and leaks that include customer data.
  • Maintain regulatory compliance: Organizations must meet supply chain risk management requirements to comply with regulations and industry standards like NIST 800-53, CMMC, SOC 2, and ISO 27001 to avoid penalties and legal consequences. US federal agencies are required to implement certain best practices for enhancing the security of the software supply chain by NIST. 
  • Ensure software integrity: Preventing tampering with software components helps maintain the integrity of applications and services, which is critical for building trust with customers and other stakeholders.
  • Reduce financial and reputational damage: Software supply chain attacks can lead to costly recovery efforts, lost revenue, and diminished customer trust. Preventing them can help save your reputation and revenue.
  • Enhancing national and global security: Software supply chain security has a global impact. Securing the global supply chain is essential for protecting the sensitive information, intellectual property, integrity of information systems, and ability of governments all over the world to safely and reliably provide services to the public.

By proactively securing their software supply chains, organizations can mitigate risks and build a more resilient security posture.

To underscore the importance of securing the software supply chain, let’s take a look at some recent attacks and the impact they had.

Recommended reading

Third-Party Security: 8 Steps To Assessing Risks And Protecting Your Ecosystem

Software supply chain attacks: 5 landmark examples

Below are five landmark examples of software supply chain attacks and their impact and what we can learn from them.

1. SolarWinds supply chain attack

Date: September 2019

Impact: Over 18,000 customers were affected, including government agencies and Fortune 500 companies and recovery costs exceeded $100 million.

Beginning in September 2019, an advanced persistent threat (APT) actor compromised the SolarWinds Orion software supply chain and injected malicious code into SolarWinds’ Orion software update. The malware spread as over 18,000 SolarWinds customers installed the compromised update. The threat actor then targeted a smaller subset of high-value customers, including federal agencies such as the US Treasury, to exploit for the primary purpose of espionage.

Key learning: Organizations must rigorously vet software updates and implement behavioral anomaly detection to identify unusual activity in cloud environments. More specifically, monitoring the use of SSO tokens and the use of service principals in the cloud can help detect the compromise of identity services and prevent threat actors from gaining access to your cloud resources. 

2. Kaseya VSA ransomware attack

Date: July 2021

Impact: Ransomware affected 60 direct clients and spread to over 1,500 businesses globally and attackers demanded $70 million in ransom.

Kaseya’s VSA software was compromised by attackers who exploited a vulnerability to deploy a fake update that propagated malware to its direct and indirect customers. This ransomware attack impacted managed service providers (MSPs) and their downstream clients, totalling over 1,5000 across the globe.

Key learning: Implementing strong vulnerability management and rapid incident response can reduce the spread and impact of attacks like this.

3. Log4j vulnerability (Log4Shell)

Date: December 2021

Impact: Hundreds of millions of systems worldwide were vulnerable, leading to extensive patching efforts and security incidents.

A critical zero-day vulnerability in the widely-used Log4j logging library allowed attackers to execute remote code on affected systems and assume complete control of it. Since the flaw exposed some of the world's most popular applications and services, including AWS, Microsoft, Cisco, Google Cloud, and IBM to attack, it caused global security incidents and emergency mitigation efforts and is expected to “wreak havoc across the internet for years to come.”

Key learning: In addition to immediately applying available patches or workarounds to known vulnerabilities, establishing proactive patch management and continuous software composition analysis (SCA) can help organizations respond swiftly to emerging threats.

4. 3CX double supply chain compromise

Date: March 2023

Impact: Malware was embedded in the company's VoIP software, potentially affecting thousands of users worldwide.

Attackers compromised 3CX’s desktop VoIP software, injecting malware that allowed them to infiltrate corporate networks and steal data of potentially hundreds of thousands of customers. Researchers from cybersecurity firm Mandiant say that it began when a 3CX employee’s PC was hacked through an earlier software-supply-chain attack that hijacked an application of the financial software firm Trading Technologies back before 2021. They say this is the first confirmed incident where one software-supply-chain attack enabled another. 

Key learning: Continuous security monitoring and behavior analysis of software packages can help detect and mitigate supply chain threats, like the presence of malicious software, before widespread impact.

5. Justice AV Solutions software attack

Date: December 2023

Impact: Malware embedded in an audio-visual recording platform used in courtrooms, jails, prisons, council, hearing, and lecture halls across nationwide.

In December 2023, Justice AV Solutions (JAVS), a provider of courtroom recording and evidence management software, suffered a supply chain attack. Hackers swapped a legitimate version of the company's signed software for a version with a backdoor and then signed the installer using a valid certificate in another company's name. It’s recommended that all users of JAVS' software immediately review their environment for signs of compromise, wipe any affected endpoints, and reset all credentials those endpoints may have handled.

Key learning: The closed-source, commercial software shipped to your organization is not to be blindly trusted. Implementing rigorous integrity checks, cryptographic signing, and vendor security assessments is essential to verify software security and prevent similar threats.

These incidents highlight the growing risk of software supply chain attacks and the need for robust security measures.

Recommended reading

15 Recent Cyber Attacks & What They Tell Us About the Future of Cybersecurity

How to enhance software supply chain security​ according to NIST guidance

Issued in 2021, Executive Order (EO) 14028, Improving the Nation’s Cybersecurity directed the National Institute of Standards and Technology (NIST) to publish guidance on practices for software supply chain security.

To this end, NIST published the NIST Secure Software Development Framework (SSDF), SP 800- 218 and the NIST Software Supply Chain Security Guidance. Taken together, these two documents provide a set of practices that create the foundation for developing secure software.

By following NIST guidance, organizations can ensure software integrity and security, which is key to protecting sensitive information systems from threats and vulnerabilities and reducing overall risk from cyber-attacks.Following this guidance is mandatory for federal agencies and recommended for commercial organizations. 

Below are some examples of security measures from NIST guidance. Please note this list is not exhaustive:

  • Define criteria for software security checks: Establish clear and measurable security requirements that software must meet before deployment.
  • Protect all forms of code from unauthorized access and tampering: Safeguard the development, build, distribution, and update environments by implementing strict access controls and following the principle of least privilege.
  • Provide a mechanism for verifying software release integrity: Make software integrity verification information available to software acquirers by posting cryptographic hashes for release files or periodically reviewing the code signing processes, for example.
  • Design software to meet security requirements and mitigate security risks: Integrate secure-by-design principles from the outset to minimize vulnerabilities.
  • Verify third-party software complies with security requirements: Conduct rigorous security assessments of third-party code and dependencies before integration.
  • Configure the compilation and build processes to improve executable security: Implement secure build configurations, including compiler hardening and address space layout randomization (ASLR).
  • Review and/or analyze human-readable code to identify vulnerabilities: Perform static code analysis, manual code reviews, and secure coding audits to detect security flaws.
  • Test executable code to identify vulnerabilities: Use dynamic analysis, fuzz testing, and penetration testing to uncover weaknesses in compiled software.
  • Configure the software to have secure settings by default: Ensure default configurations prioritize security, minimizing risk upon deployment.
  • Archive and protect each software release: Maintain secure backups of each software version to facilitate rollback and forensic analysis in case of security incidents.
  • Identify, analyze, and remediate vulnerabilities on a continuous basis: Implement continuous vulnerability scanning and patch management to keep software secure over time.

By implementing these and other recommended practices from the NIST guidance documents,  organizations can improve the resilience of their software supply chains.

Recommended reading

Secure by Design: What Does It Mean & How to Reasonably Implement It

Software supply chain security best practices​ 

To further enhance the security of your software supply chain, organizations should follow these best practices:

  • Create a supply chain risk management policy: A supply chain risk management policy is designed to define and support the protection and controls of supply chain procedures and processes. This policy should cover all suppliers, plants, warehouses, and transport routes in addition to software providers. It should specify roles and responsibilities and what supply chain risk management capabilities will be implemented.
  • Perform software supplier risk assessments: As a key part of due diligence, the risk assessment process is used to identify any potential risks and better understand how data is shared before entering into a legal agreement with a software supplier. It can include anything from reviewing compliance reports and the attestations of compliance to requesting suppliers to perform a security questionnaire and reviewing results.
  • Map out your software supply chain: Mapping out your software supply to identify the most critical systems, networks, and information can help you prioritize resources to manage risks to those parts of the chain.
  • Automate security processes when possible: Automated security testing tools for code review, testing runtime behavior, simulating real-world attacks, and ensuring compliance and adherence to baseline configurations can help identify vulnerabilities early in the development process, allowing developers to address them before they escalate into serious security risks.

Since automation plays a crucial role in maintaining software supply chain security, reducing human error, and ensuring continuous compliance, let’s take a closer look at these types of tools below. 

Download the Supply Chain Risk Management Policy Template

This ready-to-use template helps you establish a structured approach to identifying, assessing, and mitigating risks across your supply chain. Download now to strengthen your security, enhance compliance, and protect your business from disruptions.

How Secureframe can help you secure your software supply chain

Secureframe provides a comprehensive compliance automation platform that simplifies software supply chain security by automating risk assessments, monitoring vendor security, and ensuring adherence to best practices. 

With Secureframe, you can:

  • Help determine secure-by-design principles upon integration with your tech stack to identify security and compliance gaps.
  • Continuously monitor your infrastructure, applications, and vendor ecosystem to detect misconfigurations and vulnerabilities in real time.
  • Receive instant alerts on detected misconfigurations through Slack, Jira, email, or directly within the platform.
  • Automate remediation of security misconfigurations with step-by-step guidance or infrastructure-as-code fixes generated automatically by Comply AI.
  • Streamline third-party risk management (TPRM) by integrating with your suppliers, retrieving security documentation, and automating supplier risk assessments.
  • Enhance software integrity by verifying vendor security postures, tracking risk assessments, and managing supplier compliance documentation.
  • Integrate your cloud platform and developer tools to see all of your vulnerabilities from services like AWS inspector and Github in one place. 
  • Automate compliance management to built-in security frameworks that include supply chain security controls, enabling organizations to meet requirements efficiently.
  • Get guidance and answers to any questions you may have from compliance managers and a partner network of trusted auditors and pen testing firms.

Ready to enhance your software supply chain security? Schedule a demo with Secureframe today to learn how.

FAQs

What is a secure software supply chain?

A secure software supply chain ensures that all components, from code development to deployment, are protected against threats. This includes implementing secure coding practices, verifying software integrity, managing third-party dependencies, and continuously monitoring for vulnerabilities, among other security practices.

Is software supply chain risk growing?

Yes, back in 2023, almost nine out of 10 companies detected security or other software issues in their software supply chain in the last 12 months, according to global research conducted by Dimensional Research and commissioned by ReversingLabs. The latest annual report by ReversingLabs found that attacks on both open source code and commercial-software vendors have grown.

What is software supply chain security guidance under Executive Order EO 14028?

The Executive Order (EO) 14028, Improving the Nation’s Cybersecurity directed the National Institute of Standards and Technology (NIST) to publish guidance on practices for software supply chain security. This guidance involves systematic reviews, process improvements, and security standards for both software suppliers and developers, in addition to customers who acquire software for the federal government.