Earlier this week Ryan Culham and myself presented at InfoSec about something that is causing a lot of havoc in our field at the moment. Supply Chain Under Siege. Whilst this post isn’t going to cover everything Ryan spoke about it is going to provide a summary.
Supply chain attacks have become one of the biggest challenges facing security teams today. The reason is simple: attackers have realised that compromising one trusted supplier, software provider, github repo, or service can give them access to hundreds or even thousands of organisations.
Recent incidents such as MOVEit, 3CX, XZ backdoor, and the NPM attacks have demonstrated just how effective this approach can be. In each case, the attackers did not need to break directly into their target’s environment. Instead, they exploited trust that already existed.
This shift has changed the nature of cyber defence.
The New Reality
Historically, organisations focused on protecting their own networks, systems, and users. While those responsibilities remain important, modern businesses rely on a complex ecosystem of software vendors, cloud providers, managed service providers, and open source projects.
Every one of those relationships introduces risk.
If a supplier is compromised, their customers may also be exposed. If a software update is malicious or vulnerable, it can be distributed directly into trusted environments. If a hidden software dependency contains a flaw, organisations may not even know they are affected. The challenge is that most organisations still struggle to answer a simple question:
Are we affected?
When a major vulnerability or supply chain compromise is announced, security teams often spend valuable time trying to identify where vulnerable software exists, which systems are impacted, and what should be prioritised first.
The longer that process takes, the greater the risk.
Supply Chain Security Is Not a Paperwork Exercise
Many organisations have invested significant effort into supplier assessments, security questionnaires, and compliance reviews. These activities remain valuable and should not be ignored. However, questionnaires alone will not tell you if a vulnerable component is running on a production server today. Supply chain security is increasingly an operational challenge rather than a governance challenge.
The organisations that respond effectively are those that can quickly:
-
- Identify affected assets
-
- Understand software dependencies
-
- Prioritise the highest-risk exposures
-
- Remediate vulnerabilities at scale
-
- Verify that risk has been reduced
In other words, they have visibility and control.
Why Visibility Matters
The first step in responding to any supply chain incident is understanding what exists within your environment. Without visibility, teams are forced to rely on assumptions, spreadsheets, and manual investigation. That approach simply cannot keep pace with modern threats.
Real-time visibility allows security teams to quickly identify:
-
- Which assets are present
-
- What software is installed
-
- Which versions are running
-
- How systems are configured
-
- Where potential exposure exists
This transforms incident response from a guessing exercise into a fact-based process.
Understanding What’s Inside Your Software
One of the most significant developments in supply chain security is the growing use of Software Bills of Materials (SBOMs). An SBOM is effectively an ingredient list for software. It provides visibility into the libraries, frameworks, and dependencies that make up an application.
This becomes especially important when vulnerabilities are discovered deep within a software stack. The XZ backdoor incident demonstrated how a compromise within a relatively obscure component can create widespread concern across the industry. Knowing what software you have is important. Knowing what is inside that software is even more valuable.
Speed Matters
Not every vulnerability represents the same level of risk. Modern security teams must prioritise effectively, focusing on exposures that are genuinely exploitable and relevant to their environment. The goal is not to patch everything immediately. The goal is to address the risks that matter most first. This requires a combination of visibility, context, and operational capability.
When a new supply chain vulnerability emerges, organisations need to move quickly from:
-
- Understanding exposure
-
- To prioritising risk
-
- To taking action
The faster this cycle can be completed, the smaller the opportunity available to attackers.
The Future of Supply Chain Defence
Supply chain attacks are unlikely to disappear. If anything, they will continue to grow as organisations become increasingly interconnected. The answer is not to eliminate trust. Modern business depends on trusted relationships and third-party services. Instead, organisations must focus on reducing uncertainty.
That starts with answering three critical questions:
-
- What do we have
- Where are we exposed?
- How quickly can we act?
The organisations that can answer those questions confidently will be far better positioned to manage supply chain risk than those relying solely on audits, questionnaires, and assumptions.
Final Thoughts
Supply chain security is no longer just about assessing suppliers. It is about understanding the software, systems, and dependencies that underpin your business.
The most resilient organisations are not necessarily those that prevent every incident. They are the ones that can rapidly determine whether they are affected, understand the impact, and respond decisively.
In an environment where trust can be exploited, visibility, transparency, and control have become essential security capabilities. Because when the next supply chain attack arrives, the most important question will not be what happened?
It will be Are we affected?
If supply chain is something that you are concerned about and you want to know more about how we can help get in touch by emailing contact@pointwire.com. One of our engineers will be happy to show you how you could answer: Are we affected?
About Me:
I am the Security Director at PointWire, where I focus on helping organisations of all shapes and sizes strengthen their security posture through practical, risk-aware controls.
Before joining PointWire, I was a Technical Account Manager at Tanium and previously served as a Principal Architect at AppSense, bringing deep experience across endpoint security, enterprise architecture, and operational resilience.
