Book 2: Protecting the Software Supply Chain¶

Understanding threats is only the first step—organizations must translate that knowledge into effective defenses. This book provides a practical, comprehensive guide to securing software supply chains across the entire development lifecycle, from dependency selection through production deployment.

We begin with risk assessment and measurement, covering SBOMs, vulnerability databases, and software composition analysis. Dependency management represents a critical control point, and we examine strategies for vetting, updating, and reducing attack surface. Security testing extends beyond your own code to encompass dependencies through static analysis, dynamic testing, and red team exercises.

The book addresses infrastructure security: hardening development environments, securing CI/CD pipelines with zero-trust principles, and implementing build provenance and attestation. When incidents occur, we provide detailed guidance on detection, containment, and recovery. Finally, we cover operationalizing these defenses through security programs and platform engineering.