Supply Chain Security Definition Supply chain security is the practice of reducing risk introduced by third-party code, build systems, dependencies, artifacts, signing paths, and release distribution processes. Why it matters Modern software is assembled from many upstream parts. DevSecOps is incomplete if it secures only first-party code while ignoring dependencies, transitive packages, build integrity, and release provenance. This note is the umbrella for the supply-chain cluster: dependency-risk covers upstream package exposure, artifact-integrity covers tamper resistance in outputs, and sbom-and-provenance covers component and build traceability. Attacker perspective Attackers target supply chains because one compromise can scale across many downstream consumers. Weaknesses in package trust, build systems, secrets, and artifacts can bypass strong runtime security entirely. Defender perspective Defenders should: - understand where software components come from - reduce unnecessary trust in upstreams - secure the build and release path - verify what is shipped, not just what is developed Practical examples a dependency update pulls in a malicious or compromised package a build artifact is replaced after CI but before release teams track vulnerabilities but not provenance or trust boundaries Related notes dependency-risk artifact-integrity sbom-and-provenance Third-Party Exposure References Foundational: OWASP Software Supply Chain Security Cheat Sheet — https://cheatsheetseries.owasp.org/cheatsheets/Software_Supply_Chain_Security_Cheat_Sheet.html Foundational: NIST SP 800-218 SSDF — https://csrc.nist.gov/pubs/sp/800/218/final Foundational: CISA Secure by Design — https://www.cisa.gov/resources-tools/resources/secure-by-design ← PreviousSecure by Design Explore nearby notes DevSecOpsArtifact IntegrityArtifact integrity is the assurance that build outputs, packages, images, and release artifacts have not been tampered with and can be traced back to the intended... DevSecOpsASVS as Dev Process InputThis note treats OWASP ASVS not as a post-hoc checklist, but as a development-process input for designing, reviewing, and verifying technical security controls... DevSecOpsBranch Protection and Release ControlsBranch protection and release controls are the rules and governance mechanisms that determine who can change protected code paths, approve releases, and promote... DevSecOpsCI/CD HardeningCI/CD hardening ice of securing the build, test, and deployment pipeline so that automation becomes a trusted control path rather than an attack amplifier. DevSecOpsContainer SecurityContainer security is the practice of reducing risk in how containerized applications are built, configured, shipped, and run. DevSecOpsDependency RiskDependency risk is the security risk introduced by direct and transitive third-party libraries, frameworks, packages, and their update and trust patterns.