
December 2020. SolarWinds gets hacked.
Suddenly, everyone's talking about supply chain attacks. But honestly? We should have seen this coming years ago. The way we build software today is fundamentally different from even a decade ago. We're not really "building" anything anymore, we're assembling pre-made components like digital Lego blocks.
Think about it. Your typical web application today? It's probably running on top of hundreds, maybe thousands of third-party libraries. Each one written by someone you don't know. Hosted somewhere you've never been. Updated whenever they feel like it.
That's terrifying when you really think about it.
The Problem Nobody Wants to Talk About
Here's what happened with Log4j. A vulnerability gets announced on a Thursday evening. By Friday morning, every security team in the world is scrambling to figure out if they're affected. The problem? Nobody actually knew what was running in production.
I watched grown engineers grep through gigabytes of code, manually searching for log4j references. Some teams spent entire weekends doing forensics on their own applications. It was chaos.
The average Node.js project pulls in over 1,000 dependencies. One thousand. Each dependency has its own dependencies. The rabbit hole goes deep. Really deep.
Maven Central hosts over 500,000 artifacts. NPM has more than 2 million packages. PyPI contains 400,000+ projects. We're drowning in code we didn't write.
SBOMs: Finally, Some Visibility
Software Bill of Materials sounds boring. It's not.
An SBOM is basically a detailed ingredient list for your software. Every library, every framework, every tiny utility function—all catalogued with versions, licenses, and cryptographic fingerprints.
The Biden administration made SBOMs mandatory for federal software procurement through Executive Order 14028. Not suggested. Mandatory. If you want to sell software to the government, you need an SBOM.
Tools like Syft changed everything. Instead of manually tracking dependencies (which nobody actually did), you can generate comprehensive SBOMs automatically during your build process. CycloneDX provides a standardized format that works across languages and ecosystems.
FOSSA commercialized the whole thing, adding compliance tracking and vulnerability correlation. Anchore brought enterprise-grade scanning capabilities. What used to take weeks of manual work now happens in seconds.
But here's the thing about SBOMs—they're only as good as your ability to act on them. Having a list of components doesn't automatically make you secure. You need to know what to do when vulnerabilities emerge.
SLSA: Google's Answer to Build Security
Google open-sourced their internal supply chain security practices and called it SLSA. The name stands for Supply-chain Levels for Software Artifacts, but honestly, the acronym is the least important part.
SLSA defines four levels of build security maturity:
Level 1 is basic stuff. Your build process is documented and stored in version control. Most teams already do this.
Level 2 adds hosted build services and authenticated contributors. GitHub Actions, GitLab CI, Azure DevOps—these platforms provide Level 2 capabilities out of the box.
Level 3 is where it gets interesting. You need build isolation, tamper-evident logs, and non-falsifiable provenance. Not many organizations have reached this level yet.
Level 4 is the gold standard. Hermetic builds, mandatory two-person reviews, and cryptographically verifiable everything. Only a handful of companies have implemented Level 4 processes.
The genius of SLSA is that it's incremental. You don't need to jump straight to Level 4. Start with Level 1, then gradually work your way up as your security maturity evolves.
GitHub Actions now generates SLSA provenance automatically for public repositories. Tekton Chains provides similar capabilities for Kubernetes environments. The tooling ecosystem has evolved rapidly over the past two years.
Sigstore: Code Signing for the Rest of Us
Traditional code signing was a nightmare. You had to generate long-term cryptographic keys, protect them from compromise, implement key rotation procedures, and distribute public keys to everyone who needed to verify signatures.
Small teams couldn't afford the operational overhead. Large organizations struggled with key management at scale. The result? Most software shipped unsigned.
Sigstore flipped the entire model. Instead of managing long-term keys, developers authenticate with existing identity providers—GitHub, Google, Microsoft—and receive ephemeral certificates valid for just a few minutes.
Cosign handles container image signing. Rekor provides an immutable transparency log that records all signing events. Fulcio issues those short-lived certificates. The entire process is transparent and verifiable.
Kubernetes now requires signed images for certain components. The Cloud Native Computing Foundation has integrated Sigstore into dozens of projects. What used to require dedicated security expertise now works with a single command.
The adoption curve has been remarkable. From zero to widespread industry adoption in under three years.
Policy as Code: Making Security Automatic
Visibility and signing mean nothing without enforcement. This is where policy-as-code transforms security from a manual process to an automated one.
Open Policy Agent (OPA) lets you write security policies in Rego, a declarative language designed for authorization decisions. Kyverno provides similar capabilities with YAML-based policies that are easier for developers to understand.
You can mandate SBOM presence, verify cryptographic signatures, and block deployments that don't meet security standards. The enforcement happens automatically at deployment time.
Infrastructure as Code scanning has matured alongside these developments. Checkov analyzes Terraform configurations for security misconfigurations. tfsec focuses specifically on Terraform security issues. kics provides multi-language IaC scanning capabilities.
Container vulnerability scanning has evolved beyond simple CVE matching. Trivy provides comprehensive scanning for containers, filesystems, and repositories. Grype focuses on speed and accuracy. Snyk adds developer-friendly interfaces and automated fix recommendations.
The key insight? Security works best when it's embedded in the development workflow rather than bolted on afterward.
What's Actually Happening in 2025
We're seeing a fundamental shift in how organizations approach software security. The old model—patch quickly when vulnerabilities emerge—is giving way to proactive, verifiable trust built into every stage of the software lifecycle.
More organizations are requiring SBOMs for all software acquisitions. Government contractors have no choice. Private companies are following suit.
Container registries are implementing signature verification by default. Harbor, Amazon ECR, and Azure Container Registry all support Sigstore integration.
CI/CD platforms are embedding security scanning directly into build pipelines. GitHub Advanced Security, GitLab Ultimate, and Azure DevOps Services include vulnerability scanning, secret detection, and dependency analysis.
The tooling has reached a tipping point. What used to require dedicated security teams can now be implemented by regular developers with minimal training.
The Bottom Line
Supply chain security isn't a technical problem—it's a trust problem. How do you trust software you didn't write? How do you verify the integrity of components that travel through dozens of systems before reaching production?
SBOMs provide visibility. SLSA provides verifiable build integrity. Sigstore provides cryptographic proof of origin. Policy-as-code provides automated enforcement.
Together, they're transforming how we think about software security. Instead of reacting to vulnerabilities after they're discovered, we're building systems that provide continuous verification and attestation.
The house of cards is being rebuilt. This time, we're using better materials and following building codes.
As Brian Behlendorf from the OpenSSF put it: "You can't secure what you can't see. SBOMs and SLSA give us the map and the trail."
The trail leads to a future where software supply chain security isn't an afterthought—it's the foundation everything else is built on. Where transparency isn't optional, it's automatic. Where verification isn't manual, it's mathematical.
Trust, but verify. Then verify again. The stakes are too high to do anything less.
Comments ( 0 )