Protecting the Software Supply Chain: A Critical Step for Cybersecurity Resilience

Three Points to Remember

1. Modern software is built from thousands of interconnected components – one compromised part can put entire systems at risk.
2. Software supply chain attacks are rising because they let attackers infiltrate many targets at once, often undetected.
3. Practices like SBOMs, secure-by-design development and zero trust principles are essential for building safer digital ecosystems. 

Why the software supply chain matters 

When most people think about cybersecurity, they picture stolen passwords, hacked accounts or phishing emails with malicious links. These threats are easy to imagine, but behind the scenes, a larger and more complex battle is being fought. A battle that targets the software supply chain. Software is made of countless components created by different people, teams and organizations. If even one of those components is compromised, everything built on top of it is at risk. 

Imagine preparing dinner with ingredients from the grocery store. You trust the flour isn’t contaminated, the vegetables are fresh, and the packaging hasn’t been tampered with. Software works the same way. Applications are assembled from thousands of elements – open-source libraries, third-party services, cloud tools and automated updates. Each of those elements, if altered by a malicious actor, becomes a potential entry point into systems that millions of people depend on every day. 

Securing the software supply chain starts with protecting individual components, and it adds up to safeguarding the foundation of our digital world. 

Why everyone should care

The software supply chain is a web of interconnected parts, each dependent on the other. When even one part is compromised, the entire system is at risk. From power grids, hospitals, smartphones, banking apps and even home appliances the software we rely on every day is built from networks of contributors spanning the globe. The 2025 Verizon Data Breach Report states that in 2025 alone, data breaches involving third-party software doubled, accounting for 30% of all breaches. These breaches cost an average of $4.4 million each, according to the 2025 IBM Cost of a Breach Report, highlighting the financial and reputational damage organizations face.  

By strengthening these digital supply lines, we’re safeguarding the systems that keep society running. It’s one of the most important cybersecurity challenges of our time, and one that increasingly affects us all.  

The hidden risks in software supply chains

In recent years, cyberattacks have shifted focus targeting the “upstream” part of the process rather than attacking victims directly. Why break into one organization when you can quietly compromise a piece of software that thousands rely on?  

This strategy gives attackers enormous leverage. If they inject malicious code into an update or modify a widely used open-source component, every user who installs it becomes part of the blast radius.  These attacks are stealthy, difficult to detect, and often remain hidden for months, only coming to light long after the damage is done. The consequences can be devastating, impacting countless organizations and the systems millions of people depend on every day.
 

Why the problem is growing 

Three trends make software supply chains especially vulnerable: 

• Dependence on open-source software: Open-source is essential to modern development because it is fast, flexible and free. However, it is maintained by a patchwork of global volunteers, not all of whom have the time or resources to monitor for threats.
• Automation at scale: Automatic build systems and update pipelines make development fast, but if those pipelines are compromised, malicious changes can spread instantly.
• Sheer complexity: A single application may use hundreds of libraries of code, each depending on dozens more. No single developer can inspect every line of code in the stack. 

Building a more trustworthy software ecosystem 

The good news is that, while supply chain attacks are sophisticated, defending against them doesn’t require everyone to become a cybersecurity expert. Instead, organizations are embracing a set of practical, commonsense strategies to make the ecosystem safer. 

One major shift is the rise of software bills of materials (SBOMs). SBOMs are essentially ingredient labels for software. Just as food labels help you track allergens or additives, SBOMs help teams see exactly what components are in their software and whether any are vulnerable. 

Organizations are also increasing their investment in zero trust, operating on the principle that no component — no matter how familiar — escapes verification. Every dependency, connection and update must be verified. 

Building a resilient future with Leidos

Leidos offers advanced solutions, like ARMOR, that provide continuous risk intelligence, AI-native predictive insights and actionable strategies to mitigate threats before they escalate. Our tools help organizations map their software dependencies, identify hidden risks and prioritize vulnerabilities based on real-world exploitability. By leveraging cutting-edge AI and automation, we streamline assessments and enhance visibility, helping security teams act decisively. 

Through collaboration and innovation, Leidos is committed to transforming how organizations approach software supply chain security. Whether it’s advocating for digitally signed SBOMs, enhancing threat detection, or driving accountability, we provide the expertise and technology needed to build a resilient future. Leidos helps our partners gain visibility into their third-party software and helps modernize their IT environments, so they are ready to withstand the challenges of tomorrow. 

Leidos’ VP of Defensive Cyber, Josh Salmanson, recently sat down with MeriTalk to have a conversation about the future of supply chain security. Check out Upstream Attacks, Downstream Risk: How Agencies are Hardening the Federal Supply Chain to learn more.