CoursesSoftware supply chain securityThreat landscape & mindset

The software supply chain & why it is targeted

Every link from commit to cluster is attack surface.

Intermediate12 min · lesson 1 of 18

Your software supply chain is every input and every step between a developer’s idea and the artifact running in production — the source code, the dependencies you pull in, the build system, the container base, the CI pipeline, the registry, and the deploy. Traditional security guards the running application; supply-chain security guards how it was made, because an attacker who compromises any link ships their code inside your trusted artifact, past your perimeter, signed by your name.

The links an attacker can target
1source
repo, developers, SCM
2dependencies
libraries, base images
3build
CI, build tools
4artifact → deploy
registry, admission
Compromise any one link and the malicious code inherits all the trust of the final artifact. Defense means securing — and verifying — every link.

Why the supply chain became the target

Attackers follow leverage. Directly breaching a hardened production system is hard; poisoning a widely-used dependency or a build system compromises everyone downstream at once. A typical service is 80–90% third-party code you did not write and rarely read, running builds on automation that holds production credentials — an enormous, under-defended surface. That asymmetry is why supply-chain attacks moved from theoretical to among the most damaging incidents of recent years.

The shift from "is it vulnerable" to "can I trust it"

Vulnerability scanning asks whether an artifact has a known flaw. Supply-chain security asks a different, deeper question: can I trust that this artifact is what it claims to be — built from the source I reviewed, by the pipeline I control, with the dependencies I approved, untampered end to end? Answering that requires making every step verifiable: signed commits, provenance, SBOMs, signatures, and verification at the gate. This course builds that chain of trust link by link.

Trust is transitive — and inherited
When you import a library or a base image, you inherit the trust posture of everyone who touched it upstream: its maintainers, their accounts, their build systems. A single compromised maintainer account or CI token upstream becomes your problem, in production, wearing your artifact’s name. Supply-chain security is the discipline of not trusting blindly, and of proving trust rather than assuming it.