What is Software Supply Chain (Really)?
What exactly is a software supply chain, and why is it becoming critical for modern development teams?
In this kickoff episode of Open Source Open Mic, Sonatype’s Andrew Garrett sits down with SVP of Product Tyler Warden to unpack the fundamentals of software supply chains. They explore how today’s applications are built using open source components, how this model compares to traditional supply chains, and the unique risks it introduces.
The conversation pes into key topics like the difference between vulnerabilities and open source malware, the growing influence of AI on software development, and the shared responsibility across Dev, Sec, and Ops teams. You’ll also hear practical strategies for improving DevSecOps practices and navigating increasing regulatory pressure.
Whether you’re a developer, security leader, or engineering executive, this episode offers actionable insights to help you better understand and secure your software supply chain.
Transcript
0:01: OK.
0:02: So we are live.
0:07: Hello everyone, and welcome to this episode of Open Source Open Mic.
0:12: This is our first episode of hopefully many in the series, where we will dive into trending topics around.
0:20: Open source security, software composition analysis, and all things sec.
0:26: My name is Andrew Garrett, and I am a product marketing manager here at Sonotype, and I am pleased to be joined today by Tyler Warden.
0:37: And Tyler is our SVP of product here at Sonotype.
0:43: He's based in the great state of Georgia, Atlanta, Georgia.
0:47: , Tyler, anything you would like to say to introduce yourself to our viewers today?
0:54: Just thanks for having me here, Andrew.
0:57: I'm looking forward to the discussion today and thanks everybody for taking some time to listen to us.
1:02: Awesome.
1:03: Well, today we're gonna dive into the topic of what is a software supply chain.
1:09: This is a term we hear a lot in the world of sec, so, Tyler, why don't you kick us off?
1:15: What is a software supply chain and how is it similar or maybe different to a traditional supply chain?
1:22: So let's focus first on the key same phrase of supply chain.
1:26: The supply chain is all the source material or raw material or components that you bring together to go into and help make the thing that you want to make.
1:38: Let's anchor on a physical supply chain.
1:41: The most, I think, famous example in all of our business cases of business school is a car.
1:46: In order to make a car, we need to go and source a bunch of stuff.
1:50: We need tires and brakes and rotors and metal and spark plugs and windshield wipers.
1:56: And when a car manufacturer is making a car, some of they make themselves, some they go and purchase, some they go and buy, some they go bring in.
2:04: What they go bring in, that's their supply chain.
2:07: And so just like a physical supply chain, the software supply chain is what are those components or dependencies or those outside things you bring into your product, and the vast majority of those raw materials, Are open source software components.
2:26: So on average, about 85 to 90% of enterprise software by lines of code is actually open source.
2:34: Look at all the lines of code in a piece of enterprise software, about 90% of those lines of code come from open source.
2:38: Why is that?
2:40: Because why would a car manufacturer make a spark plug when they could go get one.
2:44: So that's how they're similar, but one very important difference is that if I'm, Making a car, and I buy my spark plugs from you, Andrew, I know who you are, you're a business, you have, I have a contractual relationship with you, I can evaluate you, I can interview you, you can pitch me, you can demo me, you can tell me.
3:03: Well, with open source, it's, you're just going out to the internet and getting a, basically a random piece of software to put into yours.
3:14: So what do, what do you do in the software world that's akin to what's in the physical world?
3:19: The physical world, I can talk to you, interview you, do the demo, we can build a relationship.
3:23: I can know you're a high-quality supplier.
3:26: Well, the software world, if it's open source, how do I do that?
3:29: And this is where the similarities really start to break down because there's nobody I can call on the other end of it.
3:35: I don't know if that component is good.
3:36: I don't know if this logging framework or this, this API framework or this web component is any good.
3:43: , I just know that I can go get it.
3:45: And so what we at Sonotype try to do is to help organizations, people, AI agents, AI coding assistants, security folks, help establish conditions and regulations to essentially help them make that decision.
4:04: Am I going to buy these spark plugs because they're the best for my car?
4:08: Am I going to use these components that they're good?
4:11: And if they are, we can help you make that decision.
4:13: If they're not, we can help you see that and make a better decision.
4:17: So, a lot of similarities in terms of the foundation, but the application from a physical good to a physical supply chain to essentially an open source set of bits is where you start to hear some very important differences.
4:31: Yeah, I love the comparison there to the traditional supply chain.
4:34: And I'm just thinking in terms of, if I'm a developer, what are some of the components and, and you mentioned some already, but what's actually in the software supply chain for developers?
4:48: So as a developer.
4:50: I I am often doing one of two things.
4:54: I'm either choosing a new component or more often trying to go to a newer version of an existing component within my landscape.
5:03: And when I'm choosing that or making that determination, it's not just the component itself, it's turtles all the way down because that component has open source in it.
5:14: That has its own supply chain that has open source in it that has its own supply chains.
5:18: So we call those direct and then transitive dependencies.
5:22: So direct is, I'm getting my spark plugs from you.
5:27: The transitive is in that spark plug is a filament and, and, and some metal and another screw.
5:32: Where do you get those from?
5:34: And so as a developer, it's not just the choice I'm making, it's everything that's inside that choice, all those materials.
5:42: If you want to switch to food, maybe that's a better metaphor.
5:46: , if I'm a developer, I'm going to the store and I'm gonna go buy a sandwich, right?
5:52: I'm buying the sandwich, but in that sandwich is lettuce and meat and bread and cheese, and that meat has its own journey to get to my sandwich.
6:02: The cheese has its own journey to get to my sandwich.
6:04: So as a developer, what's in my supply chain when I'm making the component decision is not just that, it's everything that came into it.
6:11: I may be buying the sandwich, but The difference here is I'm the developer are going to be held responsible for also the meat and the cheese and the lettuce that's in that sandwich, not just the sandwich, itself.
6:24: Yeah, I, I love that example.
6:26: And, you know, I've also heard the example of, of water in the past, you know, you, you turn on your faucet in the, in the kitchen, water comes out, you get a glass, you, you fill it up.
6:36: We, we trust that that water that we're drinking is, is safe to drink.
6:41: , but you know, you go out into the, into the mountains and you, you go to a river, you, you, you grab a scoop of water out of the, out of the river and you drink that.
6:52: Do you really know where that water is, is coming from?
6:55: you, you don't know if there's somebody upstream who is, you know, dumping trash into the river and, and contaminating it, so.
7:02: , yeah, that, that's a great point, and, and let's stay on that topic for just a minute, but let's talk about maybe where things can go wrong in the software supply chain, and do you have any examples of maybe some, recent current events or, or some recent supply chain exploits?
7:20: So I like to think about things going wrong in two buckets.
7:24: Things that went wrong on accident and things that a bad person made go wrong.
7:30: So let's start off with the one we think about.
7:32: You hear the term vulnerability a lot.
7:34: That's something that's done by accident.
7:36: That's, hey, we've made this component, put in the supply chain.
7:39: We didn't know at the time.
7:42: It was vulnerable, it could be attacked, it could be exploited, a bad guy could break in.
7:46: We like to think about that as oops, I left my window, the window on the second floor open of my house.
7:53: I didn't know that at the time, it wasn't intentional, but I left it open, right, mixing metaphors here.
7:59: And sometimes those exploits, those holes can be pretty big.
8:04: We announced to the world, hey, this person's windows open.
8:07: I gotta rush and go close that, or a zero day.
8:09: You might have heard about react to Shell.
8:10: That was one reason that happened toward the end of last year, that there was a, in React, a very common JavaScript set of libraries.
8:19: There were, there were some windows left open that people hadn't found.
8:23: , until they did.
8:24: So that was not on purpose.
8:26: It was a mistake.
8:27: It was, it was a bad code done unintentionally.
8:32: Then there's open source malware, and this is when a bad actor makes a Makes an attack happen and this is essentially somebody inside the house actively robbing you, right?
8:48: This is the window of Dub and this is somebody breaking in.
8:51: Yeah, they broke the window and made their way inside.
8:53: That's right.
8:54: But what they did was even more nefarious than that.
8:59: Imagine we're at this car company and a bad guy got into where they're making the cars and put a special latch on all of the doors that only they knew about.
9:10: And they waited for you to buy the car and they just walked over and broke in.
9:14: They didn't, they knew that they could break in because they got it at the source.
9:18: They poisoned the well upstream, so to speak.
9:21: So, Shai Haloud, you might have heard about that one for the end of last year.
9:26: And so when, people think about protecting their supply chain, historically, Everybody thought about the accidental leaving the windows open, the vulnerabilities.
9:36: Over the last few years, we've seen attackers say, well, corporations have done a pretty good job with firewalls and locking down a desktop.
9:44: Where do things Where do they bring things in from the outside?
9:48: Well, they get emails from the outside, so phishing happens, but they also, the developers get a lot of open source components.
9:54: So if I can poison the open source, the developers are going to break it down because they need to, and then I've got keys to the kingdom, depending on how bad the malware is.
10:02: So.
10:03: We should think about unintentional vulnerabilities, got to protect ourselves against those, and malware protection, which is as critical or more so as protecting ourselves against any other sort of virus or attack vector, that a malicious or a state actor or organized crime is trying to use to drive a more broad-based attack against the world.
10:27: Yeah, and if I could follow up on that, when, when I think about open source and how prevalent it is, in, in your opinion, are, are we putting too much trust in, in open source sometimes?
10:40: I mean, are, are we trusting that, hey, this, this component is, I can see that it is being used regularly, it, it must be safe to use.
10:50: I, I should be fine.
10:51: Is that a common pitfall for, for developers to fall into?
10:55: So I think it depends on who is the weak, right?
10:58: I think that there are very Zero trust folks that don't trust anything and want to fully scan, and then there are others that say, well, if it's popular, or it's the latest, it's, it must be good.
11:11: But you know who also thinks that the bad guys, the bad guys know who is popular, the bad guy knows what's downloaded the most, so.
11:20: I think that open source is an amazing force for good in the world.
11:25: We actually did a study here at Sonotech that if you took the economic benefit of just open source around the world, it was like the 4th or 5th largest economy in the world in terms of the benefit of open source gifts.
11:37: And so it's an amazing force for good.
11:39: So let's not.
11:40: , overreact that it's all bad.
11:44: It's an amazing force for good, but as with any force for good, it behooves us to.
11:51: Have the proper guardrails and set of let's trust but verify what's coming in here and let's absolutely no debate, protect against bad actors that try to poison the well.
12:05: Let's be sure we test the water before we, you know, give it to those who we care about.
12:11: Yeah, absolutely.
12:12: And a lot of times we hear the term dev secops, you know, putting, putting the sec in DevOps, and, and trust, trust but verify, like you said.
12:23: , well, I, I wanted to talk about who actually owns the software supply chain.
12:30: you know, is it developers, is it security teams, is it DevOps?
12:34: Is it a shared effort?
12:36: what, what's your opinion on that?
12:38: Yeah, I think that the.
12:41: Textbook answer is Dev Sekoff's for sure.
12:44: I think in reality, the engineering team is the one that is accountable for the software that they create.
12:54: So they, I think it has the ultimate responsibility.
12:57: DevOps is an enabling feature to help provider, enabling group to help help those dev teams work fast and work secure and work at scale where application security is there to be sure that, that the verification takes place because it's a unique set of skills and input to go and verify.
13:17: I think the buck stops with, with engineering if I had to choose one.
13:23: The most effective organizations are the ones that are doing debse cos where it's just part of the process.
13:28: So really it should be shared ownership.
13:30: , but, you know, engineering is the one that gets the tickets when something needs to change.
13:36: They get woken up in the middle of the night when something breaks.
13:38: And so it is, the.
13:42: Accountability, I think lies with them.
13:45: I think the responsibility lies with or lies with everybody.
13:50: Yeah.
13:52: Well, you, you mentioned some of the studies that Sonotype has done recently and we, at Sonotype, we recently released our state of the software supply chain report.
14:03: I, I can include the the link to that in the description if you want to check that out, but, one of the big trends in that report is all around regulations and some of these new compliance requirements that we've seen emerge in the last few years.
14:18: , so I did want to ask you about that as well.
14:21: any thoughts on some of these new regulations that, and, and, and how they affect the software supply chain?
14:27: I think the regulations are starting to put some accountability teeth in what regulating agencies is doing.
14:35: It's, it's making some folks make a decision and care and get some visibility.
14:40: A Dora, CMMC, SEPI, these are, these are things that are helping enforce or Shine a light on some best practices that should happen, and I think the power of regulation is they can force people to act if they normally wouldn't.
14:59: I think that it is in the best interest of many organizations to not rely just on the regulations, because what we found is good Devsek ops practices actually allow you to deliver faster, more innovation to market at scale.
15:14: So it's, it's, I have this belief.
15:17: belief that businesses do things for one of 3 reasons, make more money, save more money, stay out of jail, and it's in that order, right?
15:23: So, regulations, stay out of jail, don't, don't get fined.
15:26: Yeah, that's, that's, that's good, but let's be clear, good Dev secops helps with the number 1, which is make more money, right?
15:33: So I think that that is, regulations are good.
15:37: I think that they're A good kind of reaction to what's happening in the world and I'm all for regulating good software supply chain practices.
15:46: I would just encourage if you're listening to this, that there's actually a lot more benefit than just being compliant that can be had with optimizing your software supply chain.
15:55: Yeah, I agree, and you know what, what these new regulations tell me is, you know, in the past, some of these security best practices were looked at as just that, right?
16:08: They're best practices, we, we probably should do them if we get around to them, but, you know, now I, I think with these regulations, we're kind of forcing people's hands where we're saying, OK, we, we gave you the option to do this, but now we're gonna make you do it.
16:21: That's right, yeah, that's right.
16:23: Yeah.
16:23: , well, another hot topic right now, is, is AI, and, it's, it's 2026, as we're recording this episode right now.
16:37: AI is, is a trending topic.
16:39: Maybe if some, if, if you're watching this in 2030, maybe, maybe you're thinking, oh, AI, that's old news now, but,, but, but I did want to talk about, AI and how it's changing the landscape of the software supply chain.
16:52: I would think about it in three ways.
16:53: One, there's a new class of suppliers.
16:55: So it's like if every car manufacturer now had to put, a rocket booster on every car, you would have a bunch of rocket booster manufacturers coming out of the woodwork or wings or hovercraft lights or whatever, right?
17:11: So there's a new class of input called AI models.
17:15: Places like hugging Face have emerged to be a distribution point for open-source AI models.
17:21: So you might have to think about bringing AI models into your business, into your organization.
17:26: So now there's a new kind of class of supplier that needs the same supply chain governance that you've done in the past.
17:31: That's 12.
17:32: , AI allows more people to write code, like it's, it's, it's, it's easier to write code now, which means there's a lot more individuals that are having agents and assistants writing code, making a lot of open-source decisions.
17:48: So your exposure of how much you're ingesting from the outside world is a lot bigger.
17:53: It's like if now half the people at Ford were building their, could build their own one-off cars and going off and buying spark plugs from everybody, right?
18:00: So there is this broadening of input.
18:03: And then there is.
18:06: This kind of speeding up of decision making that means making a bad component choice, the cost of that is multiplied by a huge amount, right?
18:18: It's like the cost of making a bad decision or the benefit of making a good decision.
18:21: So you've got more code being written, which increases risk.
18:27: Also, the bad guys have the same AI that the good guys do, right?
18:31: Like anybody could go out to a coding assistant and pay them and they could tell their agent to write whatever they wanted to, which means they can write bad open source components, that sort of stuff.
18:39: Now, the good news is, I think that the good guys have the tools to go win in this case, but, because of AI, but I think that we need to be more cognizant of more bad stuff hitting the supply chain.
18:51: , more, easier to generate open source malware, so it makes protection that much more, important.
18:58: So think about more code being written, more inputs, a new class of supplier, and, more ways to exploit, but also AI can be ones that help make better decisions faster, powered by the right data, and can help the good guys move faster too.
19:13: Yeah, yeah, absolutely.
19:14: , well, we are running a little short on time here now, but I, I did want to end with some, some best practices.
19:21: So, Tyler, could you give us a couple of recommendations, you know, what, in your opinion, what would you say to security teams to help them secure their software supply chains?
19:32: Three things.
19:33: One, choose fewer better suppliers.
19:35: What does that mean?
19:37: Make better, help your teams, help your teams make better component decisions upfront and have less sprawl, so fewer better suppliers.
19:45: 2, know where your parts are throughout your entire supply chain.
19:50: So when you bring a component in, where does it land, where does it come in, where is it used?
19:54: And 3, do not pass defects downstream.
19:58: Now those happen to be the demming supply chain principles from the Toyota production system, but they apply here to the software supply chain as well.
20:05: You might have heard shift left.
20:07: That's just don't pass defects downstream.
20:09: The better decisions you make earlier, right, the less costly it is to resolve them.
20:16: And no matter where you catch them, it's better than letting them leave the factory floor.
20:21: So choose fewer, better suppliers, know where your components are at all times, and don't pass defects once found downstream.
20:28: Apply those principles to whatever tooling or processes you have.
20:31: Those principles, I think, will make the most immediate impact to your software supply chain.
20:37: I love it.
20:38: Those are some great recommendations.
20:40: And, Tyler, to wrap it up here, I thought we could have a little bit of fun.
20:44: this is something that I call the rapid fire round.
20:47: So your answers, it's 10 words or less for your answers here.
20:50: , what is the biggest myth about the software supply chain?
20:55: I don't need to worry about it.
20:58: What is the most underrated risk?
21:09: Technical debt.
21:12: What is the most overhyped solution?
21:20: Scanning your code right before it goes to production.
21:25: OK, what's one metric that every CISO should track?
21:31: Mean time to remediate.
21:33: , and last but not least, what's your final word of advice?
21:46: I don't know this is, let's try good software supply chain principles.
21:53: Help you go faster.
21:55: There you go.
21:56: Love it.
21:57: Well, thanks again, Tyler, this has been great.
21:59: I've really enjoyed talking to you and learning more about the software supply chain and to our viewers today, thank you for joining us on this episode.
22:07: we hope you found it insightful.
22:08: If you're not already subscribed to the Sonotype YouTube channel, we hope you will subscribe.
22:14: Leave a comment down below or a question.
22:16: If you have a question for Tyler, we'd love to hear from you.
22:18: And we'll see you again on another episode of Open Source Open Mic.
22:23: Thanks, we'll see you next time.
22:24: Thanks everybody.
22:27: Awesome.
22:31: OK, I'll stop
Related Resources
Software Supply Chain FAQs
What is a software supply chain?
A software supply chain refers to all the components, dependencies, and external code (primarily open source) that are used to build an application. Just like a physical supply chain, it involves sourcing “materials," but in this case, they are libraries, frameworks, and packages.
Why is the software supply chain important?
Because most modern applications are built using 80–90% open source code, organizations are inherently dependent on external components. This introduces risk, making visibility, governance, and security critical to prevent vulnerabilities and malicious code from entering production systems.
What’s the difference between vulnerabilities and open source malware?
- Vulnerabilities are unintentional flaws or weaknesses in code that can be exploited.
- Open source malware is intentionally created by bad actors to compromise systems.
Both pose risks, but malware represents a more deliberate and targeted threat.
Who is responsible for securing the software supply chain?
Software supply chain security ownership is shared across teams:
- Developers are accountable for the code they build
- Security teams provide oversight and validation
- DevOps enables secure and scalable processes
In practice, successful organizations adopt a DevSecOps approach where responsibility is integrated across the lifecycle.
How is AI impacting the software supply chain?
AI is accelerating software development, increasing the volume of code and dependencies introduced into applications. It also introduces:
- New types of “suppliers” (e.g., AI models)
- Faster decision-making (with higher risk if choices are poor)
- Increased opportunity for both innovation and exploitation
What are the biggest risks in the software supply chain today?
Some of the most common software supply chain risks include:
- Ingesting vulnerable or outdated components
- Lack of visibility into transitive dependencies
- Open source malware attacks
- Over-reliance on popularity as a proxy for safety
What are best practices for improving software supply chain security?
Key software supply chain security recommendations from the episode include:
- Choose fewer, higher-quality components
- Maintain visibility into all dependencies (direct and transitive)
- Address issues early—don’t pass defects downstream
How do regulations impact software supply chain security?
Emerging regulations (e.g., CMMC, DORA) are increasing accountability and forcing organizations to adopt stronger security practices. However, beyond compliance, strong DevSecOps practices also drive faster innovation and better business outcomes.
Is open source software safe to use?
Yes, open source is a powerful driver of innovation and efficiency. However, it requires a “trust but verify” approach. Organizations should implement controls to evaluate, monitor, and secure the components they use.
Who should watch this episode?
This episode is ideal for:
- Developers and engineering teams
- Security and DevSecOps professionals
- CISOs and technology leaders
- Anyone responsible for building or securing software