The supply chain has possibly never been more topical in the midst of hostilities in the Middle East and reports of a standoff between the US Department of Defence and an AI software development company because the latter is refusing to allow government unfettered access to its AI software.
The rhetoric is flying with accusations of designating the company as a “supply chain risk” to the nation − usually reserved for foreign adversarial firms.
The point is that the software supply chain is important − on a global scale − and trends in that arena can have far-reaching implications.
However, let's start by taking a step back and defining what we're talking about. A software supply chain is described as the comprehensive network of processes, tools, people and components (such as code, libraries and dependencies) used to develop, build and deliver software to users.
Like a factory assembly line, it moves raw code from creation through to testing and deployment. Software supply chain security refers to the security measures and practices implemented throughout the software development lifecycle (SDLC) to protect the integrity, confidentiality and availability of software products and services.
Supply chain attacks exploit the trust relationships between different organisations. All businesses have some degree of trust in other companies when they install and use software and/or hardware on their networks, or when they collaborate via vendor or contractor agreements.
The future of software supply chain security lies in automation, visibility and policy enforcement.
Supply chain attacks target the weakest link in the chain of trust. Even if your company is well-defended and has a strong cyber security programme, if a trusted vendor is not secure, attackers will target that vendor to bypass whatever security is in place in the primary business − meaning you.
By gaining a foothold in the provider's network, an attacker can exploit this trust scenario to gain access to a more secure network.
To put this in context, examples of major cyber breaches include the famous SolarWinds attack in 2021, when the UK's National Cyber Security Centre (NCSC), together with its security counterparts in the US, revealed that Russia's Foreign Intelligence Service was behind one of the most serious cyber intrusions of recent times, an attack on the popular SolarWinds IT management platform.
This major attribution came five months after the first warning by the NCSC that SolarWinds had been compromised and could be used for further attacks on connected systems.
A more recent example is that of the British Airways supply chain attack in 2025 (having also sustained a cyber attack in 2018). This saw major European airports, including Heathrow, being thrown into chaos as thousands faced delays and cancellations after a major cyber attack. Airlines were forced to check passengers in manually after the attack hit systems used for check-in and boarding, causing hours-long queues.
Key trends shaping the application security market
Application security debt is rising when we can least afford it, further escalating an already unmanageable problem. According to a recent State of Software Security report by Veracode, 70% of critical security debt comes from third-party code, making the software supply chain a prime target for cyber attacks, especially considering the 180% increase in breaches over the past year.
Know more
The report confirms this risk is further exacerbated by the widespread integration of open source libraries, expanding the attack surface considerably, in many cases constituting up to 80% of modern code bases.
It further asserts that malicious packages and dependency vulnerabilities are on the rise, with attackers targeting open source repositories like NPM and PyPI. Therefore, regulatory mandates like the EU's Digital Operational Resilience Act, which came into effect in 2025, require organisations to secure their software supply chains and produce software bills of materials. This in turn has led to a shift from reactive remediation to proactive security blocking risks before they enter the pipeline.
The future of software supply chain security lies in automation, visibility and policy enforcement. A world-class solution must not only identify risks but also prevent them at the source, ensuring secure innovation without slowing down development.
Best practices for securing software supply chains
Begin with end-to-end insight into dependencies, followed by defining custom policies. These must be tailored to meet with the company's needs, such as blocking new packages or enforcing licence compliance. Early integration of said policies is advisable.
Automation is regarded as key to successful software supply chain security, with automated dependency updates being key to reducing manual remediation and keeping the pipeline secure.
Continuous monitoring of use logs and threat intelligence feeds will enable companies to stay ahead of emerging threats and maintain compliance.
Developers must be educated through console alerts and notifications that help to guide them to secure package versions without disrupting workflow.
Gartner recommends securing supply chains by building resilience through end-to-end visibility, diversifying supplier networks (nearshoring, multi-sourcing) and leveraging digital platforms for real-time risk management.
The research firm notes that key strategies include implementing inventory buffers, fostering an agile culture, and adopting proactive, scenario-based planning to mitigate, rather than just react to, disruptions.
Gartner further confirms that to create value, supply chain managers must evolve the operating model. It asserts that supply chain strategy has always been complex but complexity is not wholly "bad" as it also serves to underscore the importance of supply chain management.
The bottom line? Threats to the software supply chain, whether malicious packages or hidden vulnerabilities, are a growing concern, but they do not have to derail development or innovation.
Share
