Supply chain compromises are a powerful attack vector. In cloud native deployments everything is software-defined, so there is increased risk when there are vulnerabilities in this area. If an attacker controls the supply chain, they can potentially reconfigure anything in an insecure way.

The Catalog of Supply Chain Compromises provides real-world examples that help raise awareness and provide detailed information that let's us understand attack vectors and consider how to mitigate potential risk.

There is on-going work to establish best practices in this area. The list of types of supply chain compromises in the catalog of supply chain compromises suggests some mitigation techniques for the more well understood categories.