[{"data":1,"prerenderedAt":481},["ShallowReactive",2],{"/en-us/the-source/security/field-guide-to-threat-vectors-in-the-software-supply-chain/":3,"footer-en-us":32,"the-source-banner-en-us":339,"the-source-navigation-en-us":351,"the-source-newsletter-en-us":379,"article-site-categories-en-us":390,"field-guide-to-threat-vectors-in-the-software-supply-chain-article-hero-category-en-us":392,"field-guide-to-threat-vectors-in-the-software-supply-chain-the-source-gated-asset-en-us":416,"field-guide-to-threat-vectors-in-the-software-supply-chain-category-en-us":428,"field-guide-to-threat-vectors-in-the-software-supply-chain-the-source-resources-en-us":440},{"_path":4,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"config":8,"seo":13,"content":17,"type":24,"slug":25,"category":5,"_id":26,"_type":27,"title":7,"_source":28,"_file":29,"_stem":30,"_extension":31},"/en-us/the-source/security/field-guide-to-threat-vectors-in-the-software-supply-chain","security",false,"",{"layout":9,"template":10,"articleType":11,"featured":6,"gatedAsset":12},"the-source","TheSourceArticle","Guide","pf-a-field-guide-to-threat-vectors-in-the-software-supply-chain",{"title":14,"description":15,"ogImage":16},"A field guide to threat vectors in the software supply chain","Discover how to safeguard against software supply chain attacks by identifying and mitigating potential threats at each stage of the development lifecycle.","https://res.cloudinary.com/about-gitlab-com/image/upload/v1751464282/r2ovpvmizpkcngy9kzqu.png",{"title":14,"date":18,"description":15,"heroImage":16,"keyTakeaways":19,"articleBody":23},"2024-03-08",[20,21,22],"The software supply chain, including source code, third-party dependencies, build pipeline, and post-release configurations, is a complex web of relationships vulnerable to attacks at any stage.","Implementing zero trust principles, such as continuous validation, securing access, and verifying dependencies, is key to securing each stage of the software supply chain.","DevOps teams need to understand common types of supply chain threats and adopt measures to mitigate these risks within their software development lifecycle.","Software isn’t developed in a vacuum. An entire ecosystem of components - the software supply chain - is involved in building, testing, and delivering software. This ecosystem offers fertile ground for developing new applications, with a wealth of open source packages, libraries, tools, and processes. However, there are significant challenges as well. The software supply chain is a complicated web of relationships, dependencies, and potential vulnerabilities that can be exploited by attackers. Recent high-profile incidents have highlighted the difficulty organizations face in keeping up with evolving security threats and changing compliance regulations, prompting them to reassess how they maintain software supply chain security.\n\n## Understanding the threats\nThreats can infiltrate the software supply chain at four key points: through security vulnerabilities in the software's source code, vulnerabilities in dependencies like open source components, vulnerabilities in the software build pipeline, and insecure configurations post-release.\n\n- **Compromised source control**: The source code is the foundation of the supply chain, and it is essential to ensure the source code’s security and integrity by closely managing who has access to the code and how changes to the code are reviewed and merged. If attackers gain unauthorized access to source code management (SCM) systems, they can take over source code repositories, impersonate users, and modify downstream aspects of the software build process, such as the CI/CD pipeline.\n- **Risky open source dependencies**: Just as failing to manage the quality of goods used in a manufacturing process will jeopardize the quality of the final product, using open source code without validating the quality and security of that code can increase the attack surface and open the door to cyber attacks. Risky dependencies can either be unintentional flaws in third-party components that are found and exploited by attackers, or malicious code deliberately inserted by attackers into public libraries and open source software to gain access to downstream targets.\n- **Compromised build pipeline**: The build pipeline is the assembly line of the software supply chain: where all the software components are assembled into a deployable package. If the build pipeline is compromised, attackers can inject malicious code into the build process and thereby distribute that code to downstream components of the software, including end users.\n- **Insecure web applications**: Even without direct access to source code, dependencies, and build pipelines, attackers can still exploit weaknesses in an application’s design or security configurations.\n\n## Improve your security posture with zero trust\nTo improve software supply chain security, organizations must enforce zero trust principles by:\n\n- Securing access to resources, including source code, with multi-factor authentication, authorization, and continuous validation of all human and machine identities within the environment.\n- Verifying that no open source or other dependencies used in software contain known vulnerabilities.\n- Preventing bad actors from gaining unauthorized access to build pipelines and rigorously testing configurations and APIs for weaknesses.\n\n## Strategies for securing the software supply chain\nUltimately, it’s essential to scrutinize everything and everyone - human, machine, open source components, or application configurations - for potential security threats. This guide will equip DevOps and security teams with the knowledge they need to understand the various types of attack vectors and identify steps to mitigate risks by establishing zero trust.\n\nAs you navigate through the guide, consider whether your organization is prepared to identify and address each type of supply chain attack vector - compromised source control, risky open source dependencies, compromised build pipelines, and insecure web applications - and evaluate how to incorporate software supply chain security into your development process, especially in the face of evolving security challenges and compliance demands.","article","field-guide-to-threat-vectors-in-the-software-supply-chain","content:en-us:the-source:security:field-guide-to-threat-vectors-in-the-software-supply-chain:index.yml","yaml","content","en-us/the-source/security/field-guide-to-threat-vectors-in-the-software-supply-chain/index.yml","en-us/the-source/security/field-guide-to-threat-vectors-in-the-software-supply-chain/index","yml",{"_path":33,"_dir":34,"_draft":6,"_partial":6,"_locale":7,"data":35,"_id":335,"_type":27,"title":336,"_source":28,"_file":337,"_stem":338,"_extension":31},"/shared/en-us/main-footer","en-us",{"text":36,"source":37,"edit":43,"contribute":48,"config":53,"items":58,"minimal":327},"Git is a trademark of Software Freedom Conservancy and our use of 'GitLab' is under license",{"text":38,"config":39},"View page source",{"href":40,"dataGaName":41,"dataGaLocation":42},"https://gitlab.com/gitlab-com/marketing/digital-experience/about-gitlab-com/","page source","footer",{"text":44,"config":45},"Edit this page",{"href":46,"dataGaName":47,"dataGaLocation":42},"https://gitlab.com/gitlab-com/marketing/digital-experience/about-gitlab-com/-/blob/main/content/","web ide",{"text":49,"config":50},"Please contribute",{"href":51,"dataGaName":52,"dataGaLocation":42},"https://gitlab.com/gitlab-com/marketing/digital-experience/about-gitlab-com/-/blob/main/CONTRIBUTING.md/","please contribute",{"twitter":54,"facebook":55,"youtube":56,"linkedin":57},"https://twitter.com/gitlab","https://www.facebook.com/gitlab","https://www.youtube.com/channel/UCnMGQ8QHMAnVIsI3xJrihhg","https://www.linkedin.com/company/gitlab-com",[59,86,158,226,288],{"title":60,"links":61,"subMenu":67},"Platform",[62],{"text":63,"config":64},"DevSecOps platform",{"href":65,"dataGaName":66,"dataGaLocation":42},"/platform/","devsecops platform",[68],{"title":69,"links":70},"Pricing",[71,76,81],{"text":72,"config":73},"View plans",{"href":74,"dataGaName":75,"dataGaLocation":42},"/pricing/","view plans",{"text":77,"config":78},"Why Premium?",{"href":79,"dataGaName":80,"dataGaLocation":42},"/pricing/premium/","why premium",{"text":82,"config":83},"Why Ultimate?",{"href":84,"dataGaName":85,"dataGaLocation":42},"/pricing/ultimate/","why ultimate",{"title":87,"links":88},"Solutions",[89,94,98,103,108,113,118,123,128,133,138,143,148,153],{"text":90,"config":91},"Digital transformation",{"href":92,"dataGaName":93,"dataGaLocation":42},"/topics/digital-transformation/","digital transformation",{"text":95,"config":96},"Application Security Testing",{"href":97,"dataGaName":95,"dataGaLocation":42},"/solutions/application-security-testing/",{"text":99,"config":100},"Automated software delivery",{"href":101,"dataGaName":102,"dataGaLocation":42},"/solutions/delivery-automation/","automated software delivery",{"text":104,"config":105},"Agile development",{"href":106,"dataGaName":107,"dataGaLocation":42},"/solutions/agile-delivery/","agile delivery",{"text":109,"config":110},"Cloud transformation",{"href":111,"dataGaName":112,"dataGaLocation":42},"/topics/cloud-native/","cloud transformation",{"text":114,"config":115},"SCM",{"href":116,"dataGaName":117,"dataGaLocation":42},"/solutions/source-code-management/","source code management",{"text":119,"config":120},"CI/CD",{"href":121,"dataGaName":122,"dataGaLocation":42},"/solutions/continuous-integration/","continuous integration & delivery",{"text":124,"config":125},"Value stream management",{"href":126,"dataGaName":127,"dataGaLocation":42},"/solutions/value-stream-management/","value stream management",{"text":129,"config":130},"GitOps",{"href":131,"dataGaName":132,"dataGaLocation":42},"/solutions/gitops/","gitops",{"text":134,"config":135},"Enterprise",{"href":136,"dataGaName":137,"dataGaLocation":42},"/enterprise/","enterprise",{"text":139,"config":140},"Small business",{"href":141,"dataGaName":142,"dataGaLocation":42},"/small-business/","small business",{"text":144,"config":145},"Public sector",{"href":146,"dataGaName":147,"dataGaLocation":42},"/solutions/public-sector/","public sector",{"text":149,"config":150},"Education",{"href":151,"dataGaName":152,"dataGaLocation":42},"/solutions/education/","education",{"text":154,"config":155},"Financial services",{"href":156,"dataGaName":157,"dataGaLocation":42},"/solutions/finance/","financial services",{"title":159,"links":160},"Resources",[161,166,171,176,181,186,191,196,201,206,211,216,221],{"text":162,"config":163},"Install",{"href":164,"dataGaName":165,"dataGaLocation":42},"/install/","install",{"text":167,"config":168},"Quick start guides",{"href":169,"dataGaName":170,"dataGaLocation":42},"/get-started/","quick setup checklists",{"text":172,"config":173},"Learn",{"href":174,"dataGaName":175,"dataGaLocation":42},"https://university.gitlab.com/","learn",{"text":177,"config":178},"Product documentation",{"href":179,"dataGaName":180,"dataGaLocation":42},"https://docs.gitlab.com/","docs",{"text":182,"config":183},"Blog",{"href":184,"dataGaName":185,"dataGaLocation":42},"/blog/","blog",{"text":187,"config":188},"Customer success stories",{"href":189,"dataGaName":190,"dataGaLocation":42},"/customers/","customer success stories",{"text":192,"config":193},"Remote",{"href":194,"dataGaName":195,"dataGaLocation":42},"https://handbook.gitlab.com/handbook/company/culture/all-remote/","remote",{"text":197,"config":198},"GitLab Services",{"href":199,"dataGaName":200,"dataGaLocation":42},"/services/","services",{"text":202,"config":203},"TeamOps",{"href":204,"dataGaName":205,"dataGaLocation":42},"/teamops/","teamops",{"text":207,"config":208},"Community",{"href":209,"dataGaName":210,"dataGaLocation":42},"/community/","community",{"text":212,"config":213},"Forum",{"href":214,"dataGaName":215,"dataGaLocation":42},"https://forum.gitlab.com/","forum",{"text":217,"config":218},"Events",{"href":219,"dataGaName":220,"dataGaLocation":42},"/events/","events",{"text":222,"config":223},"Partners",{"href":224,"dataGaName":225,"dataGaLocation":42},"/partners/","partners",{"title":227,"links":228},"Company",[229,234,239,244,249,254,259,263,268,273,278,283],{"text":230,"config":231},"About",{"href":232,"dataGaName":233,"dataGaLocation":42},"/company/","company",{"text":235,"config":236},"Jobs",{"href":237,"dataGaName":238,"dataGaLocation":42},"/jobs/","jobs",{"text":240,"config":241},"Leadership",{"href":242,"dataGaName":243,"dataGaLocation":42},"/company/team/e-group/","leadership",{"text":245,"config":246},"Team",{"href":247,"dataGaName":248,"dataGaLocation":42},"/company/team/","team",{"text":250,"config":251},"Handbook",{"href":252,"dataGaName":253,"dataGaLocation":42},"https://handbook.gitlab.com/","handbook",{"text":255,"config":256},"Investor relations",{"href":257,"dataGaName":258,"dataGaLocation":42},"https://ir.gitlab.com/","investor relations",{"text":260,"config":261},"Sustainability",{"href":262,"dataGaName":260,"dataGaLocation":42},"/sustainability/",{"text":264,"config":265},"Diversity, inclusion and belonging (DIB)",{"href":266,"dataGaName":267,"dataGaLocation":42},"/diversity-inclusion-belonging/","Diversity, inclusion and belonging",{"text":269,"config":270},"Trust Center",{"href":271,"dataGaName":272,"dataGaLocation":42},"/security/","trust center",{"text":274,"config":275},"Newsletter",{"href":276,"dataGaName":277,"dataGaLocation":42},"/company/contact/","newsletter",{"text":279,"config":280},"Press",{"href":281,"dataGaName":282,"dataGaLocation":42},"/press/","press",{"text":284,"config":285},"Modern Slavery Transparency Statement",{"href":286,"dataGaName":287,"dataGaLocation":42},"https://handbook.gitlab.com/handbook/legal/modern-slavery-act-transparency-statement/","modern slavery transparency statement",{"title":289,"links":290},"Contact Us",[291,296,301,306,311,316,321],{"text":292,"config":293},"Contact an expert",{"href":294,"dataGaName":295,"dataGaLocation":42},"/sales/","sales",{"text":297,"config":298},"Get help",{"href":299,"dataGaName":300,"dataGaLocation":42},"/support/","get help",{"text":302,"config":303},"Customer portal",{"href":304,"dataGaName":305,"dataGaLocation":42},"https://customers.gitlab.com/customers/sign_in/","customer portal",{"text":307,"config":308},"Status",{"href":309,"dataGaName":310,"dataGaLocation":42},"https://status.gitlab.com/","status",{"text":312,"config":313},"Terms of use",{"href":314,"dataGaName":315,"dataGaLocation":42},"/terms/","terms of use",{"text":317,"config":318},"Privacy statement",{"href":319,"dataGaName":320,"dataGaLocation":42},"/privacy/","privacy statement",{"text":322,"config":323},"Cookie preferences",{"dataGaName":324,"dataGaLocation":42,"id":325,"isOneTrustButton":326},"cookie preferences","ot-sdk-btn",true,{"items":328},[329,331,333],{"text":312,"config":330},{"href":314,"dataGaName":315,"dataGaLocation":42},{"text":317,"config":332},{"href":319,"dataGaName":320,"dataGaLocation":42},{"text":322,"config":334},{"dataGaName":324,"dataGaLocation":42,"id":325,"isOneTrustButton":326},"content:shared:en-us:main-footer.yml","Main Footer","shared/en-us/main-footer.yml","shared/en-us/main-footer",{"_path":340,"_dir":341,"_draft":6,"_partial":6,"_locale":7,"visibility":326,"id":342,"title":343,"button":344,"_id":348,"_type":27,"_source":28,"_file":349,"_stem":350,"_extension":31},"/shared/en-us/the-source/banner/the-economics-of-software-innovation-2025-08-18","banner","The Economics of Software Innovation","The Economics of Software Innovation—AI’s $750 Billion Opportunity",{"config":345,"text":347},{"href":346},"/software-innovation-report/","Get the research report","content:shared:en-us:the-source:banner:the-economics-of-software-innovation-2025-08-18.yml","shared/en-us/the-source/banner/the-economics-of-software-innovation-2025-08-18.yml","shared/en-us/the-source/banner/the-economics-of-software-innovation-2025-08-18",{"_path":352,"_dir":9,"_draft":6,"_partial":6,"_locale":7,"logo":353,"subscribeLink":358,"navItems":362,"_id":375,"_type":27,"title":376,"_source":28,"_file":377,"_stem":378,"_extension":31},"/shared/en-us/the-source/navigation",{"altText":354,"config":355},"the source logo",{"src":356,"href":357},"https://res.cloudinary.com/about-gitlab-com/image/upload/v1750191004/t7wz1klfb2kxkezksv9t.svg","/the-source/",{"text":359,"config":360},"Subscribe",{"href":361},"#subscribe",[363,367,371],{"text":364,"config":365},"Artificial Intelligence",{"href":366},"/the-source/ai/",{"text":368,"config":369},"Security & Compliance",{"href":370},"/the-source/security/",{"text":372,"config":373},"Platform & Infrastructure",{"href":374},"/the-source/platform/","content:shared:en-us:the-source:navigation.yml","Navigation","shared/en-us/the-source/navigation.yml","shared/en-us/the-source/navigation",{"_path":380,"_dir":9,"_draft":6,"_partial":6,"_locale":7,"title":381,"description":382,"submitMessage":383,"formData":384,"_id":387,"_type":27,"_source":28,"_file":388,"_stem":389,"_extension":31},"/shared/en-us/the-source/newsletter","The Source Newsletter","Stay updated with insights for the future of software development.","You have successfully signed up for The Source’s newsletter.",{"config":385},{"formId":386,"formName":277,"hideRequiredLabel":326},1077,"content:shared:en-us:the-source:newsletter.yml","shared/en-us/the-source/newsletter.yml","shared/en-us/the-source/newsletter",{"categoryNames":391},{"ai":364,"platform":372,"security":368},{"_path":393,"_dir":9,"_draft":6,"_partial":6,"_locale":7,"type":394,"config":395,"seo":396,"content":399,"slug":5,"_id":413,"_type":27,"title":7,"_source":28,"_file":414,"_stem":415,"_extension":31},"/en-us/the-source/security","category",{"layout":9},{"title":368,"description":397,"ogImage":398},"Get up to speed on how organizations can ensure they're staying on top of evolving security threats and compliance requirements.","https://res.cloudinary.com/about-gitlab-com/image/upload/v1751463273/aplkxrvwpii26xao5yhi.png",[400,405],{"componentName":401,"type":401,"componentContent":402},"TheSourceCategoryHero",{"title":368,"description":397,"image":403},{"config":404},{"src":398},{"componentName":406,"type":406,"componentContent":407},"TheSourceCategoryMainSection",{"config":408},{"gatedAssets":409},[410,411,412],"source-lp-guide-to-dynamic-sboms","source-lp-devsecops-the-key-to-modern-security-resilience","application-security-in-the-digital-age","content:en-us:the-source:security:index.yml","en-us/the-source/security/index.yml","en-us/the-source/security/index",{"_path":417,"_dir":418,"_draft":6,"_partial":6,"_locale":7,"config":419,"title":14,"link":422,"_id":425,"_type":27,"_source":28,"_file":426,"_stem":427,"_extension":31},"/shared/en-us/the-source/gated-assets/pf-a-field-guide-to-threat-vectors-in-the-software-supply-chain","gated-assets",{"id":12,"formId":420,"utmCampaign":421},1002,"eg_global_cmp_gated-content_speedsecurity_en_guidethreatvectors",{"config":423},{"href":424},"https://learn.gitlab.com/the-source-security/field-guide-supply-chain-security","content:shared:en-us:the-source:gated-assets:pf-a-field-guide-to-threat-vectors-in-the-software-supply-chain.yml","shared/en-us/the-source/gated-assets/pf-a-field-guide-to-threat-vectors-in-the-software-supply-chain.yml","shared/en-us/the-source/gated-assets/pf-a-field-guide-to-threat-vectors-in-the-software-supply-chain",{"_path":393,"_dir":9,"_draft":6,"_partial":6,"_locale":7,"type":394,"config":429,"seo":430,"content":431,"slug":5,"_id":413,"_type":27,"title":7,"_source":28,"_file":414,"_stem":415,"_extension":31},{"layout":9},{"title":368,"description":397,"ogImage":398},[432,436],{"componentName":401,"type":401,"componentContent":433},{"title":368,"description":397,"image":434},{"config":435},{"src":398},{"componentName":406,"type":406,"componentContent":437},{"config":438},{"gatedAssets":439},[410,411,412],[441,455,468],{"_path":442,"_dir":418,"_draft":6,"_partial":6,"_locale":7,"config":443,"title":444,"description":445,"link":446,"_id":452,"_type":27,"_source":28,"_file":453,"_stem":454,"_extension":31},"/shared/en-us/the-source/gated-assets/application-security-in-the-digital-age",{"id":412,"formId":420},"Application security in the digital age","Read our survey findings from more than 5,000 DevSecOps professionals worldwide for insights on how organizations are grappling with increasing attack surfaces and changing attitudes towards security and AI.",{"text":447,"config":448},"Read the report",{"href":449,"dataGaName":450,"dataGaLocation":451},"/developer-survey/2024/security-compliance/","Application Security in the Digital Age","thesource","content:shared:en-us:the-source:gated-assets:application-security-in-the-digital-age.yml","shared/en-us/the-source/gated-assets/application-security-in-the-digital-age.yml","shared/en-us/the-source/gated-assets/application-security-in-the-digital-age",{"_path":456,"_dir":418,"_draft":6,"_partial":6,"_locale":7,"config":457,"title":458,"description":459,"link":460,"_id":465,"_type":27,"_source":28,"_file":466,"_stem":467,"_extension":31},"/shared/en-us/the-source/gated-assets/source-lp-devsecops-the-key-to-modern-security-resilience",{"id":411},"DevSecOps: The key to modern security resilience","Learn how embedding security in development can slash incident response time by 720x and save millions in security costs annually.",{"text":461,"config":462},"Download the guide",{"href":463,"dataGaName":464,"dataGaLocation":451},"/the-source/security/devsecops-the-key-to-modern-security-resilience/","DevSecOps the key to modern security resilience","content:shared:en-us:the-source:gated-assets:source-lp-devsecops-the-key-to-modern-security-resilience.yml","shared/en-us/the-source/gated-assets/source-lp-devsecops-the-key-to-modern-security-resilience.yml","shared/en-us/the-source/gated-assets/source-lp-devsecops-the-key-to-modern-security-resilience",{"_path":469,"_dir":418,"_draft":6,"_partial":6,"_locale":7,"config":470,"title":471,"description":472,"link":473,"_id":478,"_type":27,"_source":28,"_file":479,"_stem":480,"_extension":31},"/shared/en-us/the-source/gated-assets/source-lp-guide-to-dynamic-sboms",{"id":410},"Guide to dynamic SBOMs: An integral element of modern software development","Learn how to gain visibility into previously unidentified organizational risks with a software bill of materials (SBOM).",{"text":474,"config":475},"Read the guide",{"href":476,"dataGaName":477,"dataGaLocation":451},"/the-source/security/guide-to-dynamic-sboms/","Guide to Dynamic SBOMs","content:shared:en-us:the-source:gated-assets:source-lp-guide-to-dynamic-sboms.yml","shared/en-us/the-source/gated-assets/source-lp-guide-to-dynamic-sboms.yml","shared/en-us/the-source/gated-assets/source-lp-guide-to-dynamic-sboms",1758747456861]