Bright is now integrated with GitHub Copilot

Check it out! →
Product overview

See how dev-centric DAST for the enterprise secures your business.

Web attacks

Continuous security testing for web applications at high-scale.

API attacks

Safeguard your APIs no matter how often you deploy.

Business logic attacks

Future-proof your security testing with green-flow exploitation testing.

LLM attacks

Next-gen security testing for LLM & Gen AI powered applications and add-ons.

Interfaces & extensions

Security testing throughout the SDLC - in your team’s native stack.


Connecting your security stack & resolution processes seamlessly.


Getting started with Bright and implementing it in your enterprise stack.

Book a demo

We’ll show you how Bright’s DAST can secure your security posture.


Check out or insights & deep dives into the world of security testing.

Webinars & events

Upcoming & on-demand events and webinars from security experts.


Getting started with Bright and implementing it in your enterprise stack.

Case studies

Dive into DAST success stories from Bright customers.


Download whitepapers & research on hot topics in the security field.

About us

Who we are, where we came from, and our Bright vision for the future.


Bright news hot off the press.

Webinars & events

Upcoming & on-demand events and webinars from security experts.

We're hiring

Want to join the Bright team? See our open possitions.

Bug bounty

Found a security issue or vulnerability we should hear about? Let us know!

Contact us

Need some help getting started? Looking to collaborate? Talk to us.

Resources > Blog >
NIST Weighs in on Software Supply Chain Attacks

NIST Weighs in on Software Supply Chain Attacks

Edward Chopskie

What is a Software Supply Chain (SSC) Attack? 

Supply chain attacks strategically focus on infiltrating an organization by compromising the products, in this case the software that the targeted entities depend on. In this type of cyber-assault, attackers covertly implant a backdoor within the software or its development infrastructure. Once established, this concealed entry point grants them the ability to tamper with the software’s update and patching mechanisms. They exploit this capability to deliver “trojanized” updates—updates that appear legitimate but are laced with malicious code. More details about SSCs can be found in this blog post

The Rising Tide of Software Supply Chain Attacks

SSC attacks target the various stages of software development and distribution. By compromising the supply chain, attackers can infiltrate numerous systems and organizations simultaneously. This form of attack is particularly insidious because it exploits the trusted relationship between software providers and their customers. 

The significant rise in these attacks can be attributed to several factors, including the increasing complexity of supply chains and the widespread reliance on open-source components. Attackers are exploiting vulnerabilities in these components, or in the processes used to develop, deliver, and update software.

NIST’s Guidance: A Beacon in Tumultuous Waters

NIST’s latest release, SP 800-204, serves as a critical resource for organizations navigating these treacherous waters. The guidance focuses on the integration of security practices within DevSecOps – an approach that blends software development (Dev), security (Sec), and operations (Ops) – particularly within Continuous Integration/Continuous Deployment (CI/CD) pipelines. 

Key Recommendations from NIST

1. Enhanced Security in CI/CD Pipelines: NIST emphasizes the importance of embedding security measures throughout the CI/CD pipeline. This includes conducting security checks at each stage – from coding to deployment – to ensure that vulnerabilities are identified and addressed promptly.

2. Verification of Third-Party Components: Given the reliance on third-party components in software development, NIST recommends thorough vetting and continuous monitoring of these elements to ensure they are secure and updated.

3. Artifact and Attestation Management: NIST suggests maintaining comprehensive records of all activities and artifacts throughout the software development lifecycle. This ensures that each component of the software can be traced back to its source, making it easier to identify and mitigate potential compromises.

4. Regular Audits and Compliance Checks: Conducting regular audits and ensuring compliance with established security standards is crucial in maintaining a secure supply chain.

The DevSecOps Advantage in Mitigating SSC Risks

DevSecOps plays a pivotal role in mitigating the risks associated with SSC attacks. By integrating security practices into every stage of software development, organizations can proactively identify and address vulnerabilities.

1. Early Detection and Response: Incorporating security from the outset allows for early detection of potential threats, reducing the risk of downstream impacts significantly.

2. Automation for Enhanced Security: Automating security tasks within the CI/CD pipeline not only streamlines the process but also ensures consistent application of security measures.

3. Culture of Security: DevSecOps fosters a culture where security is a shared responsibility, encouraging collaboration and continuous learning among teams.

Challenges in Secure Software Delivery

While cloud-native environments and CI/CD pipelines offer numerous advantages, they also present unique security challenges. Incomplete implementation of security measures or lack of expertise can leave these environments vulnerable to exploitation.

1. Complexity of Cloud-Native Technologies: The intricate nature of cloud-native technologies can make it difficult to maintain visibility and control over the security posture.

2. Rapid Pace of Development: The fast-paced environment of CI/CD pipelines can sometimes lead to security being overlooked in the rush to deliver.

Forward-Thinking Strategies for SSC Security

To combat these challenges, organizations must adopt a forward-thinking approach.

1. Continuous Training and Awareness: Regular training programs can help teams stay updated on the latest security practices and threat landscapes.

2. Leveraging Advanced Security Tools: Investing in advanced security tools that are specifically designed for cloud-native environments and CI/CD pipelines can provide an extra layer of protection.

3. Partnership and Collaboration: Collaborating with security experts and industry peers can provide valuable insights and help in sharing best practices.


As software supply chains become increasingly integral to organizational operations, the need to safeguard them is more pressing than ever. NIST’s SP 800-204 is a testament to the critical role of comprehensive security strategies in today’s digital landscape. Organizations must not only heed these guidelines but also cultivate a proactive and informed security culture. By doing so, they can not only defend against the rising tide of SSC attacks but also pave the way for a more secure and resilient digital future.


IASTless IAST – The SAST to DAST Bridge

Streamline appsec with IASTless IAST. Simplify deployment, enhance accuracy, and boost your security posture by combining SAST and Bright’s DAST.

Bringing DAST security to AI-generated code

AI-generated code is basically the holy grail of developer tools of this decade. Think back to just over two years ago; every third article discussed how there weren’t enough engineers to answer demand; some companies even offered coding training for candidates wanting to make a career change. The demand for software and hardware innovation was

5 Examples of Zero Day Vulnerabilities and How to Protect Your Organization

A zero day vulnerability refers to a software security flaw that is unknown to those who should be mitigating it, including the vendor of the target software.

Get our newsletter