Open-Source Supply Chain Security: Addressing a Key Challenge

By Robert Bruce, Deputy CTO

In January 2022, the developer behind two immensely popular open-source NPM packages — “colors” and “faker” — intentionally disrupted them, citing overwhelming workload. The ripple effects were felt far and wide, causing thousands of projects to stumble. Another alarming supply chain disruption emerged in March 2022 when a developer made an inconspicuous commit to the widely used NPM “es5-ext” package. The modification was less about code optimization and more of a political statement protesting the war in Ukraine, unbeknownst to the thousands of projects that depended on the package. These incidents exemplify the challenges that underpin software supply chain management, particularly concerning package security and integrity.

Similar to supply chain security issues in the commercial sector, i.e. SolarWinds, open-source software supply chains are increasingly exposed to threats. This puts the software systems that depend on these supply chains on precarious footing. So what can organizations do to avert these threats and protect their systems from supply chain vulnerabilities? 

One answer is “Protective Sequestration” (PS), a concept borrowed from public health that describes measures taken to prevent the infection of a known uninfected group from a potentially infected larger group. In software, this starts with understanding library management.

Library Management and the Need for Vigilance
When we incorporate third-party dependencies into a project, the reliance on external repositories and sources introduces risks of malicious or vulnerable packages. This, in turn, jeopardizes system security and integrity. Taking cognizance of this, library management has evolved to implement mechanisms aimed at safeguarding software supply chains. This is where PS comes in. 

At its core, PS entails taking stringent measures to insulate an uninfected software repository from potential risks. This is achieved by initiating the standard process to download updated versions of packages, used directly or as dependencies in projects, but then intentionally isolating them for a ‘quarantine’ period before being incorporated into the supply chain. This process serves as a buffer, enabling early detection of issues, thereby ensuring that only secure and fixed versions of packages are pulled from our repositories.

Defining Curate in Context
In the backdrop of library management, there is a concept related to protective sequestration called “curate.” Curate is the careful act of selecting, organizing, and maintaining a collection of software packages or dependencies for integration. This implies not merely ensuring the availability of relevant packages but also diligently monitoring their quality and security to safeguard the overall software system.

Preventing Malicious Packages and Vulnerabilities
Protective Sequestration stands as a formidable barrier against unwanted packages, known vulnerabilities, malicious codes, or non-compliant components. It effectively shifts the security focus “to the left”, enabling organizations to prevent harmful packages from infiltrating the chain, rather than retrospectively dealing with them post-integration.

Audit Trail and Integration
Protective Sequestration is more than just a shield; it offers an invaluable audit trail for packages. Organizations can trace the origin, history, and modifications of packages within their supply chain, easing the production of a Software Bill of Materials (SBOM). PS workflows ideally integrate with other components of the supply chain management process, in a largely automated manner. This optimizes security measures, minimizes human error, and assures consistent protection throughout the software development lifecycle.

As the dynamics of the threat landscape evolve, so must our defenses. Protective Sequestration marks a critical step in this direction, bolstering the security of software supply chains. The strategic adoption of PS principles allows organizations to protect their deployment packages, minimize risks, and fortify the security of their systems. The judicious curation and safeguarding of software dependencies underlie the resilience and reliability of systems, empowering organizations to withstand potential attacks and vulnerabilities.

Have questions about supply chain security, zero trust architecture, or DevSecOps? Contact us at

Related: Zero Trust, NIST Recommendations, and Cloud Freedom