## Progressive Summary **Executive Summary (Layer 3)**: **The software supply chain — every process and company involved in obtaining third-party components — is an attack surface: each supplier is an entry point to everything downstream.** **Key Insight (Layer 2)**: "Each software supplier in the SSC is a potential entry point for attackers to target key national assets in cyberspace." **Context (Layer 1)**: Gokkaya, Aniello & Halak, literature review of SSC attacks, risks, and controls (highlights saved Feb 2025). **Discoverability Score**: 9/10 --- ## Atomic Insight **Supply chain security defends the trust you extend to code you didn't write.** The software supply chain (SSC) is the set of processes for selecting and obtaining components from third parties. Its choke point is the build stage, where the build system combines in-house code with third-party packages — importing every supplier's compromise into your own artifact. Resilience framing (UK National Cyber Strategy 2022): (i) understand the risk, (ii) protect and withstand, (iii) minimize impact of successful attacks. Zahan et al.'s study of 1.63M npm packages mapped six vulnerable entry points; mitigations center on vetting maintainers and reviewing new releases — controls aimed at people and process, not just code. Flagged blind spot: research over-indexes on open-source chains (observable) while proprietary chains carry the same risk with less visibility. ## In This Vault Instances: [[PyPI Supply Chain Attack via Popular AI Dependencies]], [[Pipelines Implicitly Trust Their Inputs]], [[Updating Dependencies Is Riskier Than Latent Bugs]], [[LLM Router Supply Chain Attacks]], [[Cascading System Failures]]. --- *Source: [[Software Supply Chain Review of Attacks Risk Assessment Strategies and Security Controls]] (Gokkaya, Aniello & Halak; Readwise highlights, 2025-02-06)*