Insights

Software Supply Chain Cybersecurity | SUMāTO

Written by Andrés Lozada | Jul 9, 2026 7:30:30 PM

When a vulnerability in a logging library almost no one had heard of put half the internet at risk late last year, many executives discovered an uncomfortable truth: they didn't even know that component lived inside their applications. The software your company buys, licenses, or builds is not a single piece; it is an assembly of hundreds of third-party parts, and each one is a potential door. In 2022, securing that supply chain stopped being a specialists' topic and became a boardroom priority.

The short version: Modern software is built on hundreds of open-source and commercial components you did not write or control. Protecting the supply chain requires knowing what is inside your applications (through an SBOM), managing the vulnerabilities of those dependencies, and verifying that what you run is what your vendors actually delivered. It is a discipline of inventory, governance, and verifiable trust.

Why your software is no longer only yours

A decade ago, an enterprise application was mostly proprietary code. Today the ratio has flipped: between 70% and 90% of a typical application is made up of open-source libraries, frameworks, SDKs, and third-party services. Each dependency brings, in turn, its own dependencies (so-called transitive dependencies), so an application that declares twenty libraries can pull in several hundred indirect components.

This architecture accelerates development, but it shifts the risk. You no longer trust only your own programmers: you trust thousands of anonymous maintainers, public repositories, and each vendor's processes. An attacker who compromises a single popular package can reach, in one stroke, every organization that uses it. The attack surface no longer ends at your perimeter; it stretches across the entire chain that produced your software.

What an SBOM is and why you need one

An SBOM (Software Bill of Materials) is the complete, structured list of every component that makes up an application: the name, version, origin, and license of each part. It is the digital equivalent of the ingredient list on a food product. Without it, when a critical vulnerability appears you cannot answer the only question that matters: "Are we affected, and where?"

The value of an SBOM shows precisely in a crisis. Organizations with up-to-date inventories could locate vulnerable components in hours; those without spent weeks on manual searches while the exposure window stayed open. A strong SBOM program includes:

  • Automatic generation with every build, not as a one-off document that ages the moment it is signed.
  • A standard, machine-readable format (such as CycloneDX or SPDX) so you can query it and integrate it with your tools.
  • Coverage of transitive dependencies, not just the direct ones you declared.
  • A requirement on vendors to deliver the SBOM of the software they sell you.

Dependency and vulnerability management

Having the inventory is the starting point; the ongoing work is to cross-check it continuously against known-vulnerability databases and act with judgment. Not all alerts are equal, and treating them all with the same urgency exhausts teams without reducing real risk.

Mature management prioritizes by three factors: the technical severity of the flaw, whether an active exploit is circulating, and whether the affected component is genuinely exposed in your context. A critical vulnerability in a library that is never invoked in production can wait; a medium-severity one in an internet-facing service probably cannot. We recommend:

  • Software composition analysis integrated into the pipeline, halting builds that contain known-vulnerable components.
  • An update policy that keeps dependencies close to their supported versions, avoiding the technical debt that makes patching impossible.
  • Version pinning so that a build is reproducible and no one introduces silent changes.
  • Internal service-level agreements for the maximum remediation time based on criticality.

Vendor assessment: trust that is demonstrated

A large part of your supply chain is made up of commercial software vendors and cloud services. Here the question stops being technical and becomes one of governance: how does that third party develop, test, and deliver its product? A vendor with weak practices turns their weaknesses into yours.

Assessment must be built into the buying process, not added after signing. It pays to demand evidence, not promises: recognized certifications, results of independent security testing, documented secure development practices, and a clear commitment to notify you when they themselves suffer an incident. The key question for every critical vendor is simple: if tomorrow you discover a serious vulnerability in your product, when and how will I find out? Our cybersecurity team helps organizations build these assessment frameworks.

Signing and verification: making sure what you run is what you received

The final link is integrity. A sophisticated attacker does not need to find a flaw in the code: it is enough to alter the artifact between the moment the vendor builds it and the moment you install it. Cryptographic signing solves this by letting you verify that a component comes from who it claims to and has not been modified along the way.

  • Signing artifacts at the source, so that every package, container, or binary carries verifiable proof of its authenticity.
  • Mandatory verification before deployment: reject anything not properly signed.
  • Provenance that documents how, where, and from what each artifact was built.
  • Protection of the build chain, because the environment that produces your software is as valuable a target as the software itself.

Continuous detection and response

Even with inventories, patches, and signatures, no chain is impregnable. That is why continuous vigilance closes the loop: correlating the activity of your applications and vendors to detect anomalous behavior before it becomes an incident. A SOC that monitors continuously turns the SBOM and dependency management into real response capability, not filed documentation. The difference between the companies that came through the last crisis calmly and those that did not was not luck: it was preparation.

Frequently asked questions

Is an SBOM only for companies that build software?

No. Any organization that uses software (that is, all of them) benefits from requiring SBOMs from its vendors. Even if you don't write code, you need to know which components run inside the applications you buy so you can react when a vulnerability appears.

Isn't a good antivirus and firewall enough?

Those tools protect the perimeter and the endpoints, but they don't tell you which third-party components live inside your applications or whether they are compromised. Supply chain security is a distinct, complementary layer, focused on the origin and integrity of software.

Where do I start if I have none of this?

With the inventory. You can't protect what you don't know. Generating an SBOM of your most critical applications will give you, in a few weeks, visibility you likely don't have today and will reveal the most urgent risks.

How long does it take to implement a program like this?

The first capabilities (inventory and dependency analysis) can be operational in weeks. Full maturity, with vendor assessment and signature verification integrated, is a journey of months best tackled in prioritized phases.

The first step

Software supply chain security is not bought as a product: it is built as a discipline, layer by layer, starting with knowing what is really inside your systems. At SUMāTO, we help organizations in the region move from uncertainty to a concrete, measurable program, with clear priorities and early results. If the last crisis left you wondering "would we be affected?", that is exactly the starting point. Let's talk about how to bring visibility and control to your software supply chain.