Unregulated Software Supply Chain

The software supply chain is quite immature in both tooling and relationships, with software parts being brought into applications from various unregulated sources including supplier code, partner code, Open Source projects, and in-house development.

Developers are often able to source Open Source and third-party code from a variety of places on the Internet ranging from well-known ecosystems like Apache Software Foundation and Eclipse Foundation to many well-regarded artifact repositories like Maven Central (Java), NuGet (.NET),** npm** (JS), RubyGems (Ruby),** PyPI** (Python), and many others. At times though, code comes into an organization from individual developers, from anywhere around the world, who simply host their work on popular source code repositories like GitHub or GitLab.

All of this Open Source and third-party code typically does not go through the same inbound controls and scrutiny as commercial off-the-shelf (COTS) software.