Supply Chain Security — SBOM and Beyond
Software supply chain attacks increased 742% between 2019 and 2025. The numbers are not slowing down. SolarWinds demonstrated that a single compromised build system could grant adversaries access to 18,000 organizations simultaneously. Log4Shell proved that a vulnerability in one transitive dependency could expose virtually every enterprise on the planet. CodeCov showed that CI/CD secrets are one tampered script away from exfiltration at scale.
Traditional perimeter security was designed for a world where you built what you ran. That world no longer exists. The average enterprise application contains 257 open-source dependencies, each with its own dependency tree, maintainer community, and attack surface. Your firewall cannot inspect the integrity of a build artifact. Your EDR cannot verify that the npm package you installed today is the same one you audited last quarter.
This post breaks down the modern software supply chain, explains how SBOMs and the SLSA framework provide verifiable trust at every stage, and walks through a synthetic incident response where Meridian Healthcare used both to contain a compromised dependency in under 48 hours.