diff --git a/README.md b/README.md index c4f88ed..16e074a 100644 --- a/README.md +++ b/README.md @@ -2,8 +2,8 @@
- - DevGuard by L3montree Logo + + DevGuard by L3montree Logo

DevGuard - Develop Secure Software - Documentation

diff --git a/public/logo_horizontal.svg b/public/logo-horizontal.svg similarity index 100% rename from public/logo_horizontal.svg rename to public/logo-horizontal.svg diff --git a/public/logo_inverse_horizontal.svg b/public/logo-inverse-horizontal.svg similarity index 100% rename from public/logo_inverse_horizontal.svg rename to public/logo-inverse-horizontal.svg diff --git a/src/components/Footer.tsx b/src/components/Footer.tsx index 5248270..b67c0d5 100644 --- a/src/components/Footer.tsx +++ b/src/components/Footer.tsx @@ -77,7 +77,7 @@ export default function Footer() { width={200} height={50} alt="DevGuard Logo" - src="/logo_inverse_horizontal.svg" + src="/logo-inverse-horizontal.svg" className="h-12 w-auto" />

diff --git a/src/pages/explanations/supply-chain-security/what-is-supply-chain-security.mdx b/src/pages/explanations/supply-chain-security/what-is-supply-chain-security.mdx index 53dc0be..f2d431e 100644 --- a/src/pages/explanations/supply-chain-security/what-is-supply-chain-security.mdx +++ b/src/pages/explanations/supply-chain-security/what-is-supply-chain-security.mdx @@ -1,22 +1,23 @@ --- -title: 'What is supply chain security' -metaDescription: 'Learn what software supply chain security is, explore real-world attacks like SolarWinds and Log4Shell, and discover core principles like SBOMs, provenance, and SLSA to protect your software.' +title: 'What is supply chain security?' +description: 'Learn what supply chain security means for software development, which threats exist, and how to mitigate risks in your software lifecycle.' --- import { AttributedImage } from '@/components/AttributedImage' -## What is Supply Chain Security? +# What is Supply Chain Security? In modern software development, you rarely write 100% of your own code. Instead, you assemble products using a vast ecosystem of third-party libraries, build tools, container images, and CI/CD pipelines.\ In fact, it has been estimated that **[70-90%](https://www.linuxfoundation.org/blog/blog/a-summary-of-census-ii-open-source-software-application-libraries-the-world-depends-on)** of current software is composed of Free and Open Source Software (FOSS). This heavy reliance on external dependencies has fundamentally altered the [threat landscape](/explanations/supply-chain-security/what-is-supply-chain-security#the-threat-landscape), shifting the risk from the code you write to the components you consume and the tools you use to deploy them.\ -**Supply chain security** is the practice of ensuring that every component, process, and actor involved in the creation and delivery of your software is verified, untampered, and trustworthy. Effective supply chain security requires a comprehensive understanding of your software's origins. +**Supply chain security** is the practice of ensuring that every component, process, and actor involved in the creation and delivery of your software is verified, untampered, and trustworthy.\ +**Effective supply chain security** requires a comprehensive **understanding** of your **software's origins**. ## What is the Software Supply Chain? A software supply chain consists of all the steps and components involved in creating, building, and deploying software in the [Software Development Life Cycle](https://en.wikipedia.org/wiki/Systems_development_life_cycle). -Understanding your software supply chain is fundamental to implementing supply chain security. It includes the tools, processes, and people responsible for writing and transforming source code into a deployable application. +It includes the tools, processes, and people responsible for writing and transforming source code into a deployable application. The software supply chain for a typical project could involve for example (not exhaustive): @@ -31,14 +32,14 @@ The software supply chain for a typical project could involve for example (not e - Package management software and ecosystems (npm, pip, etc.) - ... -Every one of these components has to be secured. A single vulnerability can put the entire software supply chain at risk, which is why supply chain security must address each stage. +Every one of these components has to be secured. A single vulnerability can put the entire software supply chain at risk, which is why each stage needs to be addressed. --- ## The Threat Landscape -Understanding the potential threats to the software supply chain is crucial for supply chain security. -By mapping the software supply chain, we can pinpoint vulnerabilities throughout the development lifecycle. Robust supply chain security depends on identifying these risks early. +Understanding the potential threats to the software supply chain is crucial to ensure its security. +By mapping the software supply chain, we can pinpoint vulnerabilities throughout the development lifecycle. These risks are categorized into **four strategic domains:**\ [**Source**](/explanations/supply-chain-security/what-is-supply-chain-security#1-source-threats), [**Build**](/explanations/supply-chain-security/what-is-supply-chain-security#2-build-threats), @@ -49,7 +50,7 @@ and [**Deployment & Runtime threats**](/explanations/supply-chain-security/what- ### 1. Source Threats -Source threats represent a critical concern for supply chain security. These risks target the earliest stage of development—the code itself and the systems that manage it. Attackers aim to compromise source code repositories to inject malicious code or steal intellectual property +Source threats target the earliest stage of development—the code itself and the systems that manage it. Attackers aim to compromise source code repositories to inject malicious code or steal intellectual property before the build process even begins. #### Examples of Source Threats @@ -60,7 +61,7 @@ before the build process even begins. **Real-World Example: [The 2024 XZ Utils Backdoor](https://en.wikipedia.org/wiki/XZ_Utils_backdoor)** -This attack demonstrates why supply chain security is essential. In this sophisticated social engineering attack, a malicious actor known as "Jia Tan" spent years building trust to gain maintainer rights over **XZ Utils**, a widely used compression library. +In this sophisticated social engineering attack, a malicious actor known as "Jia Tan" spent years building trust to gain maintainer rights over **XZ Utils**, a widely used compression library. Once in control, they injected a backdoor designed to allow unauthorized **remote code execution** on Linux servers. **Impact:** The attack was discovered by chance just weeks before it would have merged into stable Linux distributions. This near-miss highlights the importance of supply chain security vigilance. While this miracle discovery prevented the infection of **hundreds of millions of servers** globally, @@ -111,7 +112,7 @@ Build threats are a major focus of supply chain security. These threats target t This incident illustrates a critical failure in supply chain security. Attackers compromised the **build environment and continuous integration server**, allowing them to modify and infect software updates for the **Orion** network monitoring tool. -**Impact:** The fallout was severe, reaching over a dozen U.S. government departments—including the **military, executive branch, and intelligence services**—who unknowingly installed the compromised updates. This attack became a catalyst for government supply chain security regulations. +**Impact:** The fallout was severe, reaching over a dozen U.S. government departments—including the **military, executive branch, and intelligence services**—who unknowingly installed the compromised updates. --- @@ -129,7 +130,7 @@ Dependency threats represent one of the most common supply chain security challe The **Log4Shell** vulnerability demonstrates the massive reach of dependency threats and the importance of supply chain security. A critical flaw in how the ubiquitous Java logging library **Log4j** processed log messages allowed attackers to execute arbitrary code remotely (RCE) simply by sending a specific text string to a vulnerable server. -**Impact:** Because Log4j was embedded as a dependency in **millions of applications**—from iCloud and Steam to enterprise software—the vulnerability left a vast portion of the internet exposed. It forced organizations globally to pause development and scramble to patch deep chains of transitive dependencies. This incident accelerated supply chain security adoption across the industry. +**Impact:** Because Log4j was embedded as a dependency in **millions of applications**—from iCloud and Steam to enterprise software—the vulnerability left a vast portion of the internet exposed. It forced organizations globally to pause development and scramble to patch deep chains of transitive dependencies. --- @@ -216,14 +217,14 @@ For instance, a Kubernetes Admission Controller acts as a final gatekeeper. It i ## Industry Frameworks and Standards -To standardize supply chain security practices described above, the industry relies on two primary frameworks:\ +To standardize the supply chain security practices described above, the industry relies on two primary frameworks:\ [**NIST SSDF**](https://csrc.nist.gov/projects/ssdf) and [**SLSA**](https://slsa.dev/). While they share the same goal of improving supply chain security, they approach the problem from different perspectives: **SSDF** focuses on the **process**, while **SLSA** focuses on the **artifact**. ### NIST SSDF (The Process Standard) -The [**Secure Software Development Framework (SSDF)**](https://csrc.nist.gov/projects/ssdf), published by [NIST (SP 800-218)](https://csrc.nist.gov/pubs/sp/800/218/final), provides supply chain security guidelines for the entire software lifecycle. -It is less about specific tools and more about **organizational culture and policy** for supply chain security. +The [**Secure Software Development Framework (SSDF)**](https://csrc.nist.gov/projects/ssdf), published by [NIST (SP 800-218)](https://csrc.nist.gov/pubs/sp/800/218/final), outlines high-level practices for the entire software lifecycle. +It is less about specific tools and more about **organizational culture and policy**. The framework requires organizations to: @@ -242,7 +243,7 @@ In short, SSDF mandates that an organization has a secure process and a trained [**Supply-chain Levels for Software Artifacts (SLSA)**](/explanations/supply-chain-security/slsa-framework.mdx) is a supply chain security framework specifically designed to guarantee the integrity of the final software output. Its fundamental concept is Provenance: metadata that describes exactly how an artifact was created, including the source code version, the build platform, and external parameters used. -SLSA relies on the [in-toto framework](/explanations/supply-chain-security/in-toto-framework) to provide the standard format for this metadata. SLSA has become a cornerstone of modern supply chain security. +SLSA relies on the [in-toto framework](/explanations/supply-chain-security/in-toto-framework) to provide the standard format for this metadata. SLSA defines four maturity levels to guide organizations from basic documentation to advanced hardening: @@ -259,7 +260,7 @@ SLSA defines four maturity levels to guide organizations from basic documentatio ## The "Shift Left" Philosophy Implementing supply chain security is not just about adding new tools; it requires a fundamental shift in when security checks occur. -This concept is widely known in the industry as **"Shift Left"** and is essential for effective supply chain security. +This concept is widely known in the industry as **"Shift Left"**. - {frontMatter.metaDescription && ( + {frontMatter.description && ( )} {Boolean(websiteId) && Boolean(umamiUrl) && ( @@ -64,7 +64,7 @@ const config: DocsThemeConfig = { }, logo: (