Software Supply Chain Risk: Characterization, Measurement & Attenuation

With the accelerating adoption of open source software, and an ever-growing body of case studies of security vulnerabilities being introduced by said open source software (Log4J arbitrary code execution, OpenSSH backdoor by way of XZ-utils, and the Polyfill CDN take over), the need for supply chain observability has become increasingly urgent. This need has been acknowledged by both industry and government, with calls to enforce the adoption of Software Bills of Materials (SBOMs).