Software Supply-Chain Security Audit

The State of Software Supply Chain Security

•Third-party dependencies: Many software development teams rely on third-party components and libraries to speed up development and increase efficiency, but this also adds complexity and risk to the software supply chain. Third-party reliance on security and trustworthiness can be problematic, putting the software supply chain at risk.
Open source software security: Open source software is widely used in the software supply chain, but security reviews and vulnerability fixes in the open source community may not be timely, which provides an opportunity for hackers to plant malicious code.
Supply chain partner security: Partners in the software supply chain include software developers, suppliers, contractors, etc., and their security status directly affects the security of the entire software supply chain. If your partners don't have strong security measures, they're easy targets.

•Imperfect code signing technology: Code signing problems cause malicious code to be injected into the software during the update process, and in more serious cases, APT attacks are used to infect the entire software user.
Cloud service security: Many organizations deploy software to the cloud, but the security of cloud service providers has also become an important aspect of software supply chain security. A vulnerability or attack on a cloud service provider can affect software development teams and end users who use their services.
IoT device security: As IoT devices become more widespread, so does the software supply chain in IoT devices. Issues such as firmware security and remote management security for IoT devices need to be taken seriously.

Article 22: Network products and services shall comply with the mandatory requirements of relevant national standards. Providers of network products and services must not set up malicious programs, and when it is discovered that their network products or services have security flaws, vulnerabilities, or other risks, they shall immediately employ remedial measures, promptly inform users in accordance with provisions, and report to the relevant competent departments. Providers of network products and services shall continue to provide security maintenance for their products and services, and must not terminate the provision of security maintenance within the time period specified or agreed upon by the parties. Where network products and services have the function of collecting user information, their providers shall clearly indicate to users and obtain their consent, and where users' personal information is involved, they shall also comply with the provisions of this Law and relevant laws and administrative regulations on the protection of personal information.
Article 23: Critical network equipment and special network security products shall be sold or provided only after a qualified institution has passed security certification or met the requirements for security testing in accordance with the mandatory requirements of relevant national standards. The State Internet Information Department, in conjunction with the relevant departments of the State Council, is to draft and publish a catalog of critical network equipment and special network security products, and promote mutual recognition of security certifications and security testing results, to avoid duplicate certifications and testing.
Article 33: The construction of critical information infrastructure shall ensure that it has the ability to support the stable and continuous operation of operations, and ensure that security technical measures are planned, constructed, and used simultaneously.
Article 20: Operators procuring network products and services shall sign security and confidentiality agreements with network product and service providers in accordance with relevant state provisions, clarifying the provider's obligations and responsibilities for technical support and security confidentiality, and supervising the performance of those obligations and responsibilities. Article 21: In the event of a merger, division, dissolution, or other such situation, operators shall promptly report to the protection work department, and follow the requirements of the protection work department to dispose of critical information infrastructure to ensure security.

原文始发于微信公众号（老烦的草根安全观）：Software Supply-Chain Security Audit