{"id":89872,"date":"2024-01-31T07:00:00","date_gmt":"2024-01-31T12:00:00","guid":{"rendered":"https:\/\/staging.checkmarx.com\/?p=89872"},"modified":"2026-04-21T18:08:17","modified_gmt":"2026-04-21T16:08:17","slug":"checkmarx-approach-to-software-supply-chain-security","status":"publish","type":"post","link":"https:\/\/checkmarx.com\/blog\/checkmarx-approach-to-software-supply-chain-security\/","title":{"rendered":"Checkmarx&#8217;s Approach to Software Supply Chain Security"},"content":{"rendered":"<p>2023 culminated with an intensified wave of attacks on the <a href=\"https:\/\/checkmarx.com\/solutions\/software-supply-chain-security\/\">software supply chain<\/a>. Here are just a few that our Software Supply Chain Research Team helped expose in the month of December alone:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>North Korea used public open-source and private package poisoning via the GitHub platform to infiltrate organizations and compromise their software supply chains (<a href=\"https:\/\/checkmarx.com\/blog\/how-one-country-is-impacting-supply-chains\/\">report<\/a>)<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Attackers published malicious packages to PyPl, using various tactics, including combining obfuscation with encryption\/decryption methods to hide their malicious intent, employing fileless malware to avoid detection, and leveraging the reputation of an extremely popular project (<a href=\"https:\/\/checkmarx.com\/blog\/python-packages-leverage-github-to-deploy-fileless-malware\/\">report<\/a>)<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The Ledger Connect Kit suffered a significant supply chain attack resulting in the theft of over $700,000 from users\u2019 wallets. The attack was facilitated by the takeover of a former Ledger employee\u2019s npmjs account, which led to the release of compromised versions. This incident highlights the limitations of relying solely on Software Bill of Materials (SBOMs) to detect such attacks. (<a href=\"https:\/\/checkmarx.com\/blog\/npm-account-takeover-results-in-crypto-supply-chain-attack\/\">report<\/a>)<\/li>\n<\/ul>\n\n\n\n<p>We all hoped the start of a new year would bring new tidings. Unfortunately,&nbsp;NPM user account&nbsp;<a href=\"https:\/\/www.npmjs.com\/~gdi2290\">gdi2290<\/a>,&nbsp;aka&nbsp;PatrickJS, published a troll campaign to the NPM registry by uploading a package named \u201ceverything,\u201d which relies on every other public NPM package, resulting in millions of transitive dependencies.&nbsp;(<a href=\"https:\/\/checkmarx.com\/blog\/when-everything-goes-wrong-npm-dependency-hell-campaign-2024-edition\/\">report<\/a>).<\/p>\n\n\n\n<p>Jerry Gamblin, vulnerability researcher at Cisco, recently pointed out on\u00a0<a href=\"https:\/\/www.linkedin.com\/posts\/jgamblin_vulnerabilitymanagement-activity-7142996765611397120-GtPd\/?utm_source=share&amp;utm_medium=member_desktop\">LinkedIn<\/a>\u00a0that for the first time\u00a0<em>ever<\/em>\u00a0we have hit over\u00a0<a href=\"https:\/\/cve.icu\/\">30,000\u00a0CVE\u2019s<\/a>\u00a0published in a single year.<a href=\"https:\/\/substackcdn.com\/image\/fetch\/f_auto,q_auto:good,fl_progressive:steep\/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fdc12f3e5-e306-4206-86b0-2bfa508b1d8f_914x479.png\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/substackcdn.com\/image\/fetch\/f_auto,q_auto:good,fl_progressive:steep\/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fdc12f3e5-e306-4206-86b0-2bfa508b1d8f_914x479.png\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n\n\n\n<p>These developments, among the many others that preceded, emphasize the limited capacity of traditional security measures and the need for complementing them with advanced and dynamic approaches.<\/p>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-1\"><strong>4 lessons learned in 2023<\/strong><\/h2>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Attackers are ingeniously stitching together diverse tactics.\u200b<\/li>\n\n\n\n<li>Deceptive maneuvers, exemplified by social engineering and bogus contributions, have become a staple in attackers\u2019 arsenals.\u200b<\/li>\n\n\n\n<li>Abandoned digital assets are not relics \u200bof the past; they are ticking time bombs.\u200b<\/li>\n\n\n\n<li>The threat landscape\u2019s relentless evolution emphasizes the importance of predictive threat hunting.\u200b<\/li>\n<\/ol>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-2\"><strong>NSA&#8217;s recommended practices for securing the software supply chain<\/strong><\/h2>\n\n\n\n<p>December was also a month for renewed guidance from the US Government. The National Security Agency (NSA), Office of the Director of National Intelligence (ODNI), the Cybersecurity and Infrastructure Security Agency (CISA), and industry partners have released a&nbsp;<a href=\"https:\/\/media.defense.gov\/2023\/Dec\/11\/2003355557\/-1\/-1\/0\/ESF_SECURING_THE_SOFTWARE_SUPPLY_CHAIN%20RECOMMENDED%20PRACTICES%20FOR%20MANAGING%20OPEN%20SOURCE%20SOFTWARE%20AND%20SOFTWARE%20BILL%20OF%20MATERIALS.PDF\">cybersecurity technical report (CTR), \u201cSecuring the Software Supply Chain: Recommended Practices for Managing Open-Source Software and Software Bill of Materials,\u201d<\/a>&nbsp;which builds on the \u201cEnhancing the Security of the Software Supply Chain through Secure Software Development Practices\u201d&nbsp; paper released by the Office of Management and Budget (OMB).&nbsp;&nbsp;<\/p>\n\n\n\n<p>Even with this in-depth guidance, most customers we talk to are under the assumption that having a well-defined SBOM (Software Bill of Materials) is the only tangible approach to a software supply chain security strategy.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-3\"><strong>Checkmarx&#8217;s end-to-end software supply chain security to facilitate SLSA attestation<\/strong><\/h2>\n\n\n\n<p>Our vision is to bring together the idea of understanding what goes through the process, such as dependencies and software artifacts, with the development environment itself, all under&nbsp;the&nbsp;<a href=\"https:\/\/slsa.dev\/\">Supply-chain Levels for Software Artifacts (SLSA) framework<\/a>.&nbsp;This first-to-market approach creates true visibility beyond what an SBOM can offer and helps get closer to providing attestation for SLSA compliance.&nbsp;<\/p>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-4\"><strong>Preventing secrets from leaking on external tools with Secrets Detection<\/strong><\/h2>\n\n\n\n<p>Secrets, such as passwords, API keys, cryptographic keys, and other confidential data, are a frequent target of a distributed supply-chain attack.&nbsp;&nbsp;<\/p>\n\n\n\n<p>Threat actors are mining for secrets by scrapping public documentation, public repositories, and compromised private software repositories, and compromised build systems.<\/p>\n\n\n\n<p>Each hard coded secret is now a new attack vector.<\/p>\n\n\n\n<p>Secret Detection will help you remove hard coded passwords from your software supply chain by checking developer communication, shared tools, and components used across the supply chain.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"936\" height=\"486\" src=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/05\/image-9.png\" alt=\"\" class=\"wp-image-95431\" srcset=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/05\/image-9.png 936w, https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/05\/image-9-300x156.png 300w, https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/05\/image-9-768x399.png 768w\" sizes=\"(max-width: 936px) 100vw, 936px\" \/><\/figure>\n\n\n\n<p>Secrets Detection integrates and expands deeper scanning capabilities of&nbsp;<a href=\"https:\/\/github.com\/Checkmarx\/2ms\">2MS<\/a>, one of the most popular open-source tools for secret detection with over 2 million downloads, directly into Checkmarx One.&nbsp;<\/p>\n\n\n\n<p>Expanded capabilities include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Support for Confluence, Slack and Discord<\/li>\n\n\n\n<li>The ability to customizable rules and policies<\/li>\n<\/ul>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-5\"><strong>Creating a streamlined level of accountability with automated SBOM<\/strong><\/h2>\n\n\n\n<p>SBOMs can be generated automatically directly from the UI, in&nbsp;SPDX and CycloneDX formats.&nbsp;This saves you time and a headache, and ensures you have an up-to-date inventory of third-party packages being used within your software supply chain.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"936\" height=\"528\" src=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/05\/image-10.png\" alt=\"\" class=\"wp-image-95432\" srcset=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/05\/image-10.png 936w, https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/05\/image-10-300x169.png 300w, https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/05\/image-10-768x433.png 768w\" sizes=\"(max-width: 936px) 100vw, 936px\" \/><\/figure>\n\n\n\n<p>Since Checkmarx maintains a historical record of all scans performed, we can retrieve a point-in-time SBOM from previous scans or code checking events. This eliminates the need for us to build maintain and back up a catalog of SBOM files in a file share, saving time and effort while ensuring you can be compliant with historical SBOM requests.&nbsp;<\/p>\n\n\n\n<p>Checkmarx supports a wide array of languages and package managers so there\u2019s no need to implement maintain or update multiple SBOM solutions on a per project, or per language, level.&nbsp;<\/p>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-6\"><strong>Tackling the most vulnerable internal projects first with Security Scorecard Engine<\/strong><\/h2>\n\n\n\n<p>Checkmarx Scorecard enables organizations to check their own projects quickly and see the most vulnerable or at-risk projects, allowing enterprises to prioritize which to tackle first.<\/p>\n\n\n\n<p>Scorecard leverages the format from a popular tool, the&nbsp;<a href=\"https:\/\/securityscorecards.dev\/\">OSSF Scorecard<\/a>, which assesses open-source projects for security risks through a series of automated checks.&nbsp;<\/p>\n\n\n\n<p>These checks cover various parts of the software supply chain including source code, build, and dependencies, and&nbsp;<a>assigns each check<\/a>&nbsp;a score of 1-10. An auto-generated \u201csecurity score\u201d helps users as they decide the trust, risk, and security posture for their specific application.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"936\" height=\"474\" src=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/05\/image-11.png\" alt=\"\" class=\"wp-image-95433\" srcset=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/05\/image-11.png 936w, https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/05\/image-11-300x152.png 300w, https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/05\/image-11-768x389.png 768w\" sizes=\"(max-width: 936px) 100vw, 936px\" \/><\/figure>\n\n\n\n<p>With Scorecard, users can auto-generate a security score for their own projects based on a series of checks, including:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Binary Artifacts \u2013 Is the project free of checked-in binaries?&nbsp;<\/li>\n\n\n\n<li>Branch Protection \u2013 Does the project use branch protection?&nbsp;<\/li>\n\n\n\n<li>CI (Continuous Integration) Tests \u2013 Does the project run tests in CI, e.g., GitHub Actions, Prow?&nbsp;<\/li>\n\n\n\n<li>Code review \u2013 Does the project practice code review before code is merged?&nbsp;<\/li>\n\n\n\n<li>Dangerous workflow \u2013 Does the project avoid dangerous coding patterns?&nbsp;<\/li>\n\n\n\n<li>Vulnerabilities \u2013 Does the project have unfixed vulnerabilities?&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Integrating new tools is a frictionless, one-click integration. Once you select a new tool, it gets scanned, and the results are displayed in a dedicated view within Checkmarx One.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-7\"><strong>Gaining threat intelligence and eliminating manual analysis with Malware Detection<\/strong><\/h2>\n\n\n\n<p>In the SLSA framework, malicious packages are a form of dependency attack where attackers inject or contribute malicious code into open source projects that your developers download and then build into your applications. Once downloaded, the attacker\u2019s malicious code is running within your applications, with whatever unknown intent the package carries.&nbsp;<\/p>\n\n\n\n<p>Our research team has inspected over 8 million open-source packages for all kinds of threats, finding 200,000+ malicious packages. We make that threat intelligence available to you, either in the UI, directly in developers\u2019 IDE, or through an API-based threat intelligence feed.<\/p>\n\n\n\n<h2 class=\"wp-block-heading article-anchor\" id=\"article-anchor-8\"><strong>Securing containerized applications throughout the supply chain<\/strong><\/h2>\n\n\n\n<p>Securing your containers is a key part in preventing third parties from exploiting vulnerabilities that can lead to the impairment of your infrastructure, data leaks, and other types of attack.&nbsp;<a href=\"https:\/\/www.darkreading.com\/vulnerabilities-threats\/87-of-container-images-in-production-have-critical-or-high-severity-vulnerabilities\">87% of container images in production have critical or high-severity vulnerabilities<\/a>.&nbsp;<\/p>\n\n\n\n<p>The Checkmarx Container Security Solution simplifies image scanning, monitors Docker environments, and helps swiftly resolve vulnerabilities. Identify, prioritize, and address security flaws across the SDLC to preempt issues in production workloads.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\n<strong>Container Image Scanning<\/strong>&nbsp;&#8211; Scan static container images to identify vulnerable code in open-source software and remediate issues before they are deployed.<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\n<strong>Runtime Insights Correlation<\/strong>&nbsp;&#8211; Correlate pre-production and runtime data to identify exploitable vulnerabilities in running container images, reduce noise by up to 95%, and prioritize remediation efforts.<\/li>\n<\/ul>\n\n\n\n<p>Software supply chain security is a journey, and it is important to take steps to secure your software supply chain today; detecting supply chain attacks in code packages, securing your developer\u2019s evolving workstations supports rapid development while reducing risk.&nbsp;<\/p>","protected":false},"excerpt":{"rendered":"<p>2023 culminated with an intensified wave of attacks on the software supply chain. Here are just a few that our Software Supply Chain Research Team helped expose in the month of December alone:&nbsp; We all hoped the start of a new year would bring new tidings. Unfortunately,&nbsp;NPM user account&nbsp;gdi2290,&nbsp;aka&nbsp;PatrickJS, published a troll campaign to the [&hellip;]<\/p>\n","protected":false},"author":96,"featured_media":89876,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[84,844],"tags":[87,190,188,385,469],"class_list":["post-89872","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","category-supply-chain-security","tag-appsec","tag-english","tag-open-source-security","tag-supply-chain-security","tag-thought-leadership"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.1.1 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Checkmarx&#039;s Approach to Software Supply Chain Security<\/title>\n<meta name=\"description\" content=\"2023 culminated with an intensified wave of attacks on the software supply chain. Here are just a few that our Software Supply Chain Research Team helped expose in the month of December alone:\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/checkmarx.com\/blog\/checkmarx-approach-to-software-supply-chain-security\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Checkmarx&#039;s Approach to Software Supply Chain Security\" \/>\n<meta property=\"og:description\" content=\"2023 culminated with an intensified wave of attacks on the software supply chain. Here are just a few that our Software Supply Chain Research Team helped expose in the month of December alone:\" \/>\n<meta property=\"og:url\" content=\"https:\/\/checkmarx.com\/blog\/checkmarx-approach-to-software-supply-chain-security\/\" \/>\n<meta property=\"og:site_name\" content=\"Checkmarx\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis\" \/>\n<meta property=\"article:published_time\" content=\"2024-01-31T12:00:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-04-21T16:08:17+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/01\/Checkmarx-Approach-to-Software-Supply-Chain-Security.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1517\" \/>\n\t<meta property=\"og:image:height\" content=\"792\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Yohai West\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@checkmarx\" \/>\n<meta name=\"twitter:site\" content=\"@checkmarx\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Yohai West\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/checkmarx.com\/blog\/checkmarx-approach-to-software-supply-chain-security\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/checkmarx.com\/blog\/checkmarx-approach-to-software-supply-chain-security\/\"},\"author\":{\"name\":\"Yohai West\",\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/person\/8add2468c2941283a2c945d9a4dc2cf2\"},\"headline\":\"Checkmarx&#8217;s Approach to Software Supply Chain Security\",\"datePublished\":\"2024-01-31T12:00:00+00:00\",\"dateModified\":\"2026-04-21T16:08:17+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/checkmarx.com\/blog\/checkmarx-approach-to-software-supply-chain-security\/\"},\"wordCount\":1309,\"publisher\":{\"@id\":\"https:\/\/checkmarx.com\/#organization\"},\"image\":{\"@id\":\"https:\/\/checkmarx.com\/blog\/checkmarx-approach-to-software-supply-chain-security\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/01\/Checkmarx-Approach-to-Software-Supply-Chain-Security.jpg\",\"keywords\":[\"AppSec\",\"English\",\"Open-Source Security\",\"SSCS\",\"Thought Leadership\"],\"articleSection\":[\"Blog\",\"Supply Chain Security\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/checkmarx.com\/blog\/checkmarx-approach-to-software-supply-chain-security\/\",\"url\":\"https:\/\/checkmarx.com\/blog\/checkmarx-approach-to-software-supply-chain-security\/\",\"name\":\"Checkmarx's Approach to Software Supply Chain Security\",\"isPartOf\":{\"@id\":\"https:\/\/checkmarx.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/checkmarx.com\/blog\/checkmarx-approach-to-software-supply-chain-security\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/checkmarx.com\/blog\/checkmarx-approach-to-software-supply-chain-security\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/01\/Checkmarx-Approach-to-Software-Supply-Chain-Security.jpg\",\"datePublished\":\"2024-01-31T12:00:00+00:00\",\"dateModified\":\"2026-04-21T16:08:17+00:00\",\"description\":\"2023 culminated with an intensified wave of attacks on the software supply chain. Here are just a few that our Software Supply Chain Research Team helped expose in the month of December alone:\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/checkmarx.com\/blog\/checkmarx-approach-to-software-supply-chain-security\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/checkmarx.com\/blog\/checkmarx-approach-to-software-supply-chain-security\/#primaryimage\",\"url\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/01\/Checkmarx-Approach-to-Software-Supply-Chain-Security.jpg\",\"contentUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/01\/Checkmarx-Approach-to-Software-Supply-Chain-Security.jpg\",\"width\":1517,\"height\":792,\"caption\":\"Approach to Software Supply Chain Security\"},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/checkmarx.com\/#website\",\"url\":\"https:\/\/checkmarx.com\/\",\"name\":\"Checkmarx\",\"description\":\"The world runs on code. We secure it.\",\"publisher\":{\"@id\":\"https:\/\/checkmarx.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/checkmarx.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/checkmarx.com\/#organization\",\"name\":\"Checkmarx\",\"url\":\"https:\/\/checkmarx.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg\",\"contentUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg\",\"width\":1,\"height\":1,\"caption\":\"Checkmarx\"},\"image\":{\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis\",\"https:\/\/x.com\/checkmarx\",\"https:\/\/www.youtube.com\/user\/CheckmarxResearchLab\",\"https:\/\/www.linkedin.com\/company\/checkmarx\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/person\/8add2468c2941283a2c945d9a4dc2cf2\",\"name\":\"Yohai West\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/checkmarx.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/06\/avatar_96.jpg\",\"contentUrl\":\"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/06\/avatar_96.jpg\",\"caption\":\"Yohai West\"},\"url\":\"https:\/\/checkmarx.com\/author\/yochaiwest\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Checkmarx's Approach to Software Supply Chain Security","description":"2023 culminated with an intensified wave of attacks on the software supply chain. Here are just a few that our Software Supply Chain Research Team helped expose in the month of December alone:","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/checkmarx.com\/blog\/checkmarx-approach-to-software-supply-chain-security\/","og_locale":"en_US","og_type":"article","og_title":"Checkmarx's Approach to Software Supply Chain Security","og_description":"2023 culminated with an intensified wave of attacks on the software supply chain. Here are just a few that our Software Supply Chain Research Team helped expose in the month of December alone:","og_url":"https:\/\/checkmarx.com\/blog\/checkmarx-approach-to-software-supply-chain-security\/","og_site_name":"Checkmarx","article_publisher":"https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis","article_published_time":"2024-01-31T12:00:00+00:00","article_modified_time":"2026-04-21T16:08:17+00:00","og_image":[{"width":1517,"height":792,"url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/01\/Checkmarx-Approach-to-Software-Supply-Chain-Security.jpg","type":"image\/jpeg"}],"author":"Yohai West","twitter_card":"summary_large_image","twitter_creator":"@checkmarx","twitter_site":"@checkmarx","twitter_misc":{"Written by":"Yohai West","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/checkmarx.com\/blog\/checkmarx-approach-to-software-supply-chain-security\/#article","isPartOf":{"@id":"https:\/\/checkmarx.com\/blog\/checkmarx-approach-to-software-supply-chain-security\/"},"author":{"name":"Yohai West","@id":"https:\/\/checkmarx.com\/#\/schema\/person\/8add2468c2941283a2c945d9a4dc2cf2"},"headline":"Checkmarx&#8217;s Approach to Software Supply Chain Security","datePublished":"2024-01-31T12:00:00+00:00","dateModified":"2026-04-21T16:08:17+00:00","mainEntityOfPage":{"@id":"https:\/\/checkmarx.com\/blog\/checkmarx-approach-to-software-supply-chain-security\/"},"wordCount":1309,"publisher":{"@id":"https:\/\/checkmarx.com\/#organization"},"image":{"@id":"https:\/\/checkmarx.com\/blog\/checkmarx-approach-to-software-supply-chain-security\/#primaryimage"},"thumbnailUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/01\/Checkmarx-Approach-to-Software-Supply-Chain-Security.jpg","keywords":["AppSec","English","Open-Source Security","SSCS","Thought Leadership"],"articleSection":["Blog","Supply Chain Security"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/checkmarx.com\/blog\/checkmarx-approach-to-software-supply-chain-security\/","url":"https:\/\/checkmarx.com\/blog\/checkmarx-approach-to-software-supply-chain-security\/","name":"Checkmarx's Approach to Software Supply Chain Security","isPartOf":{"@id":"https:\/\/checkmarx.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/checkmarx.com\/blog\/checkmarx-approach-to-software-supply-chain-security\/#primaryimage"},"image":{"@id":"https:\/\/checkmarx.com\/blog\/checkmarx-approach-to-software-supply-chain-security\/#primaryimage"},"thumbnailUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/01\/Checkmarx-Approach-to-Software-Supply-Chain-Security.jpg","datePublished":"2024-01-31T12:00:00+00:00","dateModified":"2026-04-21T16:08:17+00:00","description":"2023 culminated with an intensified wave of attacks on the software supply chain. Here are just a few that our Software Supply Chain Research Team helped expose in the month of December alone:","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/checkmarx.com\/blog\/checkmarx-approach-to-software-supply-chain-security\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/checkmarx.com\/blog\/checkmarx-approach-to-software-supply-chain-security\/#primaryimage","url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/01\/Checkmarx-Approach-to-Software-Supply-Chain-Security.jpg","contentUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/01\/Checkmarx-Approach-to-Software-Supply-Chain-Security.jpg","width":1517,"height":792,"caption":"Approach to Software Supply Chain Security"},{"@type":"WebSite","@id":"https:\/\/checkmarx.com\/#website","url":"https:\/\/checkmarx.com\/","name":"Checkmarx","description":"The world runs on code. We secure it.","publisher":{"@id":"https:\/\/checkmarx.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/checkmarx.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/checkmarx.com\/#organization","name":"Checkmarx","url":"https:\/\/checkmarx.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/","url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg","contentUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/02\/logo-dark.svg","width":1,"height":1,"caption":"Checkmarx"},"image":{"@id":"https:\/\/checkmarx.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/Checkmarx.Source.Code.Analysis","https:\/\/x.com\/checkmarx","https:\/\/www.youtube.com\/user\/CheckmarxResearchLab","https:\/\/www.linkedin.com\/company\/checkmarx"]},{"@type":"Person","@id":"https:\/\/checkmarx.com\/#\/schema\/person\/8add2468c2941283a2c945d9a4dc2cf2","name":"Yohai West","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/checkmarx.com\/#\/schema\/person\/image\/","url":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/06\/avatar_96.jpg","contentUrl":"https:\/\/checkmarx.com\/wp-content\/uploads\/2024\/06\/avatar_96.jpg","caption":"Yohai West"},"url":"https:\/\/checkmarx.com\/author\/yochaiwest\/"}]}},"_links":{"self":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/posts\/89872","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/users\/96"}],"replies":[{"embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/comments?post=89872"}],"version-history":[{"count":0,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/posts\/89872\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/media\/89876"}],"wp:attachment":[{"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/media?parent=89872"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/categories?post=89872"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/checkmarx.com\/wp-json\/wp\/v2\/tags?post=89872"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}