共部门软件供应链报告.pptxVIP

SOFTWARE

SUPPLYCHAIN

PUBLICSECTOR

Thesoftwaresupplychainisavitalcomponentofsuccessfulsoftwaredevelopmentorganizations.However,incidentssuchasthe2020Solarwindsattack,the2021Log4Jvulnerability(Log4Shell),the2024xzbackdoor(CVE-2024-3094),andthe2025“tj-actions/changed-files”supplychainattack(CVE-2025-30066)have

demonstratedhoweasilybackdoorsandbreachesinthesoftwaresupplychaincanbeexploited,impacting

organizationsandindividualsglobally.TheLog4Jvulnerability,inparticular,isnotableduetoitswidespread

deploymentandthestaggering10millionexploitationattemptsperhourreportedjustonemonthafterits

discovery.Justonemonthafterbeingdiscovered,theWallStreetJournalhadidentifiedastaggering10millionexploitationattemptsperhour.1

Organizationsthatimplementrobustsecuresoftwaresupplychaintoolsandpracticesareabletorespondfastertosuchincidents,thankstoincreasedvisibilityandtransparency.Butarisingtideliftsallboatsandasecuresoftwaresupplychainwouldsignificantlymitigatetheriskofsuchattacksbyensuringtheintegrityandauthenticityofsoftwaredependenciesfromdevelopmenttodeployment,preventingmaliciouscodeorunauthorizedmodifications.

TheCloudNativePublicSectorUserGroup2wasformedin2023toserveasahubfordiscussingandadvancingcloudcomputingwithinthepublicsector.Alongsideenumeratingcurrentbestpractices,wearededicated

toimprovingpublicsectorworkflowsandsupplychainsecuritybyadvocatingforthedevelopmentandimplementationofsecureandresilientcloud-nativesoftwarefoundwithinthepublicsector.

Inthiswhitepaper,weaimtoclearlyaddressthecurrentandfuturechallengesofsecuringthepublicsector

softwaresupplychain,andproposelong-term,sustainablesolutionsforusingopensourcetechnologiestomeettheneedsofgovernmentsystems,