Software supply chain security is broader than SolarWinds and Log4J

Software supply chain security has evolved as a major concern due to attacks like the SolarWinds and Log4j incidents. Current industry approaches, such as scanners or software composition analysis tools, are inadequate in detecting all vulnerabilities. A zero-trust approach should be taken for securing supply chains, along with signing and verification of code and artifacts. Provenance should be the basis of security policies, i.e., where software originates from and how it was produced.