Software Supply Chain Glossary

A comprehensive collection of terms, concepts, and definitions related to software supply chain management.

100+ Terms

59 Categories

Search

Browse by Letter

All A B C D E F G H I J K L M N O P Q R S T U V X Y Z

Filter by Tag

Access Control

Architecture

Attack Vectors

Authentication

Automation

Build Systems

CI/CD

Cloud

Collaboration

Compliance

Configuration

Configuration Management

Containers

Cryptography

Dependencies

DevOps

DevSecOps

Emerging Technology

Encryption

Firmware

Frameworks

Future Technology

General Concepts

Government

Hardware

Identity

Infrastructure

Infrastructure as Code

Integrity

IoT

Kubernetes

Legal

Licensing

Metrics

Open Source

Orchestration

Package Management

Performance

Pipeline Security

Project Management

Quality Assurance

Risk Management

Security

Software Composition

Software Delivery

Software Supply Chain

Standards

Supply Chain

Supply Chain Security

Technical Debt

Testing

Threats

Tools

Verification

Version Control

Vulnerabilities

Vulnerability Management

Workflow

Zero Trust

Active Filters:

Security×

Clear all filters

A

Artifact Repository

A specialized storage system that manages and organizes software packages, binaries, and dependencies throughout the software development lifecycle.

DevOps

CI/CD

Software Supply Chain

Security

Attestation

A digitally signed statement or evidence about software artifacts that verifies specific properties, origins, or processes related to the software supply chain, enhancing trust and transparency.

Authentication

The process of verifying the identity of a user, system, or entity attempting to access a resource, ensuring that only authorized parties can gain access to protected systems and data.

C

Container Bill of Materials (CBOM)

A structured inventory that documents all components, dependencies, and configuration details within a container image, enabling enhanced visibility and security throughout the container lifecycle.

Cybersecurity and Infrastructure Security Agency (CISA)

A federal agency responsible for improving cybersecurity across government and critical infrastructure sectors, coordinating national cyber defense, and providing guidance on emerging security threats.

Security

Government

Compliance

Vulnerability Management

Code Signing

The process of digitally signing executables and software packages to verify the author's identity and ensure the code hasn't been altered or corrupted since signing.

Security

Cryptography

Integrity

Cryptography

The practice and study of techniques for securing communication and data through the use of mathematical algorithms, enabling confidentiality, integrity, authentication, and non-repudiation in software systems.

D

Dependency Confusion

A software supply chain attack where malicious packages with the same name as internal dependencies are published to public repositories, tricking build systems into using the malicious version.

DevSecOps

An approach to culture, automation, and platform design that integrates security as a shared responsibility throughout the entire IT lifecycle, from initial development through production deployment and beyond.

F

Fuzzing

An automated software testing technique that inputs invalid, unexpected, or random data to discover security vulnerabilities, bugs, and crashes in applications.

H

Hardware Bill of Materials (HBOM)

A comprehensive inventory of all physical components, firmware, and embedded software that make up a hardware product, providing transparency into the hardware supply chain for security and compliance purposes.

I

Immutable Infrastructure

A model where infrastructure components are never modified after deployment; instead, they are completely replaced with new instances when changes are needed.

DevOps

Infrastructure

Security

M

Multi-Factor Authentication (MFA)

A security mechanism that requires users to provide two or more verification factors to gain access to digital resources, significantly enhancing protection beyond passwords alone.

N

Non-Human Identity (NHI)

Digital identities assigned to systems, applications, services, and automated processes rather than human users, enabling secure machine-to-machine communication and access management in modern environments.

P

Provenance

Metadata that describes the origin, creation process, and supply chain journey of a software artifact, enabling verification of its authenticity and integrity.

Security

Compliance

Supply Chain Security

Q

Quantum Computing Security

The field addressing cryptographic vulnerabilities and cybersecurity challenges posed by quantum computers, focusing on post-quantum cryptography and mitigations for quantum threats to software supply chains.

Quantum Computing

A form of computing that harnesses quantum mechanical phenomena to perform calculations, potentially threatening current cryptographic systems while enabling new approaches to secure communications.

R

Reproducible Builds

A set of software development practices that create an independently-verifiable path from source code to binary, ensuring that a given source code always produces identical binary output regardless of who builds it.

DevOps

Security

Software Supply Chain

Build Systems

S

Software Bill of Materials (SBOM)

A formal, machine-readable inventory that lists all components and dependencies included in a software application, providing transparency into the software supply chain.

SCA (Software Composition Analysis)

Tools and methods for identifying, analyzing, and managing third-party and open source components within software applications to mitigate security and compliance risks.

Security

Compliance

Tools

Secrets Management

The processes, practices, and tools for securely handling sensitive information like credentials, tokens, and encryption keys throughout the software development lifecycle and across the supply chain.

Sigstore

An open-source project providing a standard way to sign, verify, and protect software artifacts without managing long-term cryptographic keys.

Security

Tools

Cryptography

Supply Chain Security

SLSA (Supply-chain Levels for Software Artifacts)

A security framework that defines graduated levels of software supply chain security, helping organizations incrementally improve their security posture.

Security

Frameworks

Supply Chain Security

Software Supply Chain

The full lifecycle and pipeline involved in developing, building, packaging, distributing, and deploying software—including dependencies, tools, infrastructure, and people.

General Concepts

Security

DevOps

Supply Chain Attack

A cyberattack that targets the less-secure elements in the software supply chain to compromise the intended target.

Security

Attack Vectors

Threats

T

Transitive Dependency

A dependency that is not directly imported by a project but is required by one of the project's direct dependencies.

General Concepts

Package Management

Security

Typosquatting

A software supply chain attack where malicious packages with names similar to popular dependencies are published, exploiting common typing errors to trick developers into installing them.

V

Vulnerability Management

The cyclical process of identifying, evaluating, treating, and reporting security vulnerabilities across an organization's software, systems, and networks.

Security

Risk Management

DevSecOps

X

XCCDF (Extensible Configuration Checklist Description Format)

A standardized XML-based specification language for writing security checklists, benchmarks, and related documents that enable automated vulnerability management and security compliance testing.

Compliance

Security

Standards

Configuration Management

Y

YAML Security

The principles, practices, and vulnerabilities associated with YAML configuration files that affect software supply chain security, particularly in cloud-native and DevOps environments.

Configuration

DevOps

Security

Infrastructure as Code

CI/CD

Z

Zero Trust Security

A security model that eliminates implicit trust by requiring continuous verification of every user, device, and connection before granting access to resources, regardless of location.

Security

Access Control

Architecture