Securing the Software Supply Chain in Agile Development

1. Software Supply‑Chain Security Challenges in Agile Development

Modern software development emphasizes speed and reliability, but traditional waterfall models struggle with maintenance, scalability, and rapid iteration. Agile (敏态研发) aims for efficient, iterative delivery, yet the software supply chain faces heightened security challenges.

Supply‑chain attacks have grown exponentially from 2020 to 2022, including malicious tampering, backdoors, and hijacking, threatening economic and social stability.

Key challenges include:

Complex and opaque asset dependencies. Frequent version updates increase reuse of code, packages, and third‑party commercial components, with open‑source components forming the majority of software composition.

Prominent risks from vulnerable components, backdoors, and malicious tampering. Inherited upstream vulnerabilities and attacker‑controlled supply chains can inject malicious code that propagates downstream.

Increasingly stringent legal and regulatory requirements. Laws such as the Cybersecurity Law, guidelines for open‑source use in finance, GB/T 22239‑2019, and draft software supply‑chain security regulations impose higher compliance demands.

2. Managing Software Supply‑Chain Security in Agile Development

Enterprises should align with national and industry compliance, establish internal standards, and build a governance system covering unified policies, planning, tools, and mechanisms.

1) Establish Robust Security Policies

Define responsibilities, integrate with existing security processes, and cover the entire software lifecycle—from introduction to retirement—through standards for supply‑chain, outsourcing, procurement, and development.

2) Create a Dynamic Asset Management View

Implement automated toolchains and an enterprise‑level product management system. Integrate software composition analysis (SCA) into CI pipelines, enforce whitelist/blacklist policies, and generate SPDX or CycloneDX bill‑of‑materials to track component vulnerabilities and dependencies.

3) Conduct Full‑Lifecycle Risk Identification

Use contractual safeguards, security reviews, continuous monitoring, and risk remediation to control supply‑chain risks throughout the product lifecycle.

Contractual controls: Require suppliers to provide SBOMs and security assessment reports.

Security reviews: Perform code security scans, known‑vulnerability checks, and antivirus scans before integration.

Continuous monitoring: Leverage threat‑intelligence feeds to detect backdoors and malicious mirrors.

Risk remediation: Prioritize high‑risk vulnerabilities, conduct red‑blue exercises, penetration testing, and crowdsourced security testing.

4) Apply DevSecOps Across Development and Operations

Strengthen security assessments in coding, build, and operation phases. Integrate interactive application security testing, source‑code scanning, and runtime protection to identify and mitigate third‑party component risks and supply‑chain attacks.

3. Conclusion

In fast‑paced agile environments, enterprises can reduce supply‑chain security risks by establishing unified policies, automating asset identification, leveraging threat intelligence and red‑blue testing, and embedding DevSecOps throughout the development lifecycle.