Software Supply Chain

A Wake-Up Call for Operators When OWASP first introduced “Using Known Vulnerable Components” back in 2013, it was a developer problem. Fast forward to 2025, and A03:2025 – Software Supply Chain Failures has become an operator’s nightmare. This category, now ranked #3 in the OWASP Top 10 (and #1 in the community survey), reflects how deeply our production environments rely on a sprawling, fragile, and opaque software supply chain. As an operator, I don’t just deploy code — I deploy trust. Every library, base image, CI/CD action, and IDE extension is part of that trust chain. When any one of them fails, it’s not just a bug — it’s a breach. ...

This blog post describes how OwnersBox quickly mitigated the threat of the “Shai-Hulud” npm supply chain attack in September 2025. The attack involved malicious packages that stole credentials and aggressively self-propagated.

Docket Number: CISA-2025-0007 Comment Deadline: October 3, 2025 Submission Portal: regulations.gov Executive Summary Interlynk appreciates the opportunity to provide feedback on CISA’s proposed “2025 Minimum Elements for a Software Bill of Materials (SBOM).” As developers of open-source SBOM quality and management tools, we bring a unique perspective grounded in practical implementation experience across diverse enterprise environments. Through our work on sbomqs (SBOM Quality Score) and sbomasm (SBOM Assembler), we have analyzed millions of SBOMs from various industries and toolchains, giving us deep insights into the real-world challenges of SBOM creation, validation, and consumption. Our tools help organizations assess SBOM completeness, manage multi-format SBOMs, and ensure compliance with evolving standards—experience that directly informs our response to these proposed minimum elements. ...