Feeling VEXed by software supply chain security? You’re not alone

SCSW The vast majority of off-the-shelf software is composed of imported components, whether that's open source libraries or proprietary code. And that spells a security danger: if someone can subvert one of those components, they can infiltrate every installation of applications using those dependencies.

"Attackers have realized this, and that it's easy to hide in and attack all those gaps, those third-party components as they get transferred around and reused by other vendors," Dan Lorenc, CEO and co-founder of security specialists Chainguard, told The Register. 

"We've seen a huge rise in supply chain attacks over the last couple of years, which has led to increasing recollection and attention in the space," Lorenc added.

This, in turn, has led to increased regulation and attention as the government and private industry have taken steps to secure software supply chains — and prevent another major incident such as the SolarWinds or Log4j attacks.

For The Register's Supply Chain Security Week, we sat down with Lorenc to discuss these efforts, including one that his startup is spearheading called OpenVEX, an open source specification that aims to jumpstart the adoption of the Vulnerability Exploitability eXchange, or VEX. 

And because the industry loves its acronyms, VEX is intended to complement another supply-chain security tool called SBOM, or software bill of materials.

Tune into the interview above as Lorenc discusses the challenges of securing software supply chains and how all of these acronyms can help. ®