An Introduction to Checkmarx Supply Chain Security

Open source software (OSS) increasingly forms the foundation of application development across organizations. It’s a blessing to many devs, but can also create blind spots as security teams are tasked with tracking down vulnerable OSS packages, or worse, outright malicious packages injected into the software supply chain. They need the tools to identify, prioritize, and address these risks before they impact the organization.

This white paper provides answers to the often elusive problems of Supply Chain Security (SCS). It begins with a look at the relationship between the digital economy and OSS, with a focus on why open source software is such a popular attack vector.

It then introduces:

• SLSA as a framework for supply chain integrity.
• Discussion of why traditional SCA solutions are insufficient to detect code with malicious intent.
• A way forward to avoid taking malicious code from strangers.