Software supply chain security

Software we all build and use has many dependencies, including internal dependencies, third-party vendor software, and open source software. And each dependency has its own chain of dependencies.

We also need to trust the software tools and infrastructure we use to develop, build, store, and run software. And we need to trust that members of our teams are following secure practices.

As a result, there are many places where a software supply chain can be vulnerable to attacks.

Supply-chain Levels for Software Artifacts is a framework for assessing and improving the security and integrity of your software supply chain. It maps best practices as requirements for each defined level of security maturity.