Abstract:

The increasing frequency of attacks targeting the Software Supply Chain (SSC) has made its security a critical component of organizational cyber resilience. The complexity of modern systems, which rely on components from diverse sources, complicates the identification of the attack surface. High-profile incidents such as SolarWinds, Log4Shell, and XZ Utils illustrate that compromises may occur at any stage of the software lifecycle, including acquisition, distribution, and maintenance.

This paper examines the primary attacker profiles (Advanced Persistent Threats, hacktivists, insiders, and script kiddies) and their respective impacts on supply chain risk. It further discusses established threat modeling methodologies (STRIDE, PASTA, OCTAVE) and supporting risk assessment tools, including CVSS, MITRE ATT&CK, and the Software Bill of Materials (SBOM).

The paper proposes an integrated threat model for the software supply chain that combines attacker profile analysis, attack vector identification, and countermeasure definition within a unified process. This model facilitates repeatable, context-aware risk analysis and supports the development of organizational resilience against the most probable attack scenarios.