A03:2025 – Software Supply Chain Failures
Software supply chain failures are breakdowns or compromises in building, distributing, or updating software—often caused by vulnerabilities or malicious changes in third-party code, tools, or dependencies. You are vulnerable if you use components from untrusted sources, do not track or verify dependencies, or do not scan and patch in a timely way.
Click Here to access Software Supply Chain ChallengePractical lab: a Feedback Portal loads a third-party widget from a configurable URL (no allowlist, no integrity check). Your goal: set the widget URL to a script that exfiltrates the secret the page holds—like a compromised CDN or tampered dependency in production.
Real-world supply chain attacks include trusted vendors compromised with malware (e.g. SolarWinds), packages that behave maliciously under certain conditions (e.g. wallet theft), and malicious package versions that harvest and exfiltrate sensitive data—sometimes using post-install scripts or stealing tokens to propagate. Components from untrusted sources or without verification put production at risk.
Compromised or malicious dependencies can lead to data exfiltration, credential theft, remote code execution, or backdoors. Flaws in any component can have serious impact because components typically run with the same privileges as the application (e.g. CVE-2017-5638, Log4Shell). Unverified or out-of-date dependencies leave you exposed for as long as they are not fixed.
Track all components and nested dependencies; scan regularly and subscribe to security bulletins; use a change management process and harden the supply chain (least privilege, separation of duty); do not use components from untrusted sources in production; fix and upgrade in a risk-based, timely fashion; secure CI/CD and verify artifacts (checksums, signatures); allowlist and verify what you load.