Software supply chain security is broader than SolarWinds and Log4J

Dan Lorenc, CEO of Chainguard and former lead of Google’s Open Source Security Team, discusses lesser-known but serious types of software supply chain attacks like unauthorized commits, publishing server compromise and open source package repository attacks. He criticizes the security industry’s overemphasis on scanners and software composition analysis tools, and points out the industry’s neglect in securing critical points in the supply chain. He also highlights newly developed tools such as Sigstore and gitsign that can help fortify defense.