Security

Software supply chain security: What’s in your code? 

Most of your code isn’t yours. And that’s a problem. Here is a practical guide to software supply chain security

Dan Cogburn profile picture
Dan Cogburn

January 13, 20264 min read

Share this post to x. Share to linkedin. Mail to
A question mark over a set of coding. How secure is your software supply chain and what is in your code?

Modern applications depend on open source libraries, third-party APIs, containers, and cloud services. This speeds development, but it also expands the attack surface, increases legal exposure, and introduces dependencies you can’t always see.

The result? More risk is entering the software supply chain than through custom code alone. Traditional AppSec tools were not designed to address this shift.

That’s why supply chain security has shifted from a technical checklist to a business-level priority.

You build on more than your own code

Today’s apps are assembled from many sources:

  • Open source frameworks and packages
  • Container images and cloud-native tooling
  • APIs and third-party integrations

This reuse accelerates delivery but also introduces risks that traditional testing misses:

  • One vulnerable component can compromise dozens of applications
  • Incomplete or out-of-date SBOMs complicate audits and due diligence
  • License violations and compliance gaps slip past manual reviews

Software supply chain security is not a point-in-time scan, but a continuous discipline across the full lifecycle, from the first package added through production and ongoing patching.

Step 1: Start with visibility

You cannot secure what you cannot see.

This is a stylized image showing software supply chain security.

Software composition analysis (SCA) provides teams with a full view of open-source usage. Properly executed, it uncovers:

  • Direct and transitive dependencies
  • Known vulnerabilities and outdated packages
  • License obligations and SBOM creation

Integrated SCA reduces the noise created by disconnected tools. It helps security teams focus on what matters most, which applications are affected, who owns them, and which risks require action.

OpenText Core Software Composition Analysis delivers that visibility through built-in license intelligence and SBOM automation.

Step 2: Shift left without slowing down

Security testing that happens late in the cycle leads to bottlenecks, growing issue backlogs, and stalled releases.

A more effective approach is to embed security directly into development workflows:

  • Run SAST, SCA, and DAST in CI/CD pipelines
  • Treat security checks as routine quality gates
  • Provide developers with actionable feedback directly in their tools

OpenText Core Application Security brings all these tests into a single platform, making security a seamless part of the process rather than a blocker.

Over time, this approach supports a mature secure SDLC:

  1. Define security requirements during design
  2. Continuously test during development
  3. Validate before release
  4. Reassess with each update

Need help getting started? The DevSecOps overview offers a practical starting point.

Step 3: Don’t ignore APIs

APIs often fly under the radar, yet they are central to modern application architectures.

To manage API risk, teams should:

  • Inventory all APIs and identify ownership
  • Test APIs along with other application components
  • View results within the same dashboards

OpenText Dynamic Application Security Testing (DAST) scans running apps and APIs based on real behavior, not just static definitions. This keeps visibility unified without duplicating tools or workflows.

Step 4: Use AI where it counts

Most organizations don’t struggle with a lack of findings. They struggle with a lack of time.

AI-assisted AppSec helps teams focus by:

  • Reducing false positives in SAST scans
  • Delivering contextual guidance developers can act on
  • Accelerating remediation workflows while maintaining oversight

OpenText Application Security Aviator uses AI to prioritize real risks and streamline response, especially when used with Core SCA and Core AppSec.

Quick check: How mature is your supply chain security?

A stylized image demonstrating secure coding and the software supply chain.

Use this checklist to assess the maturity of your program:

  • We treat Supply chain security as a continuous program
  • We have visibility into open source, custom code, and APIs
  • We use SCA in conjunction with SAST and DAST
  • We integrate security testing into CI/CD
  • We actively manage SBOMs, license risk, and zero-day response
  • We are using — or evaluating — AI-assisted AppSec for remediation

You don’t need all of this in place today. But maturity starts with visibility and grows through consistent action.

Ready to go deeper?

Explore Securing the Software Supply Chain position paper here.

Share this post

Share this post to x. Share to linkedin. Mail to
Dan Cogburn avatar image

Dan Cogburn

Opentext IAM’s Product Marketing Manager, Dan Cogburn, effortlessly balances family commitments and various marketing strategies. With a passion for skateboarding and the outdoors, he combines enthusiasm with precision in all his pursuits.

See all posts

More from the author

5 urgent signals your AppSec program can’t ignore in 2025
Security

5 urgent signals your AppSec program can’t ignore in 2025

Our latest State of Application Security report reveals everything you need to know about what’s current and what’s next.

September 25, 2025

4 min read

Don’t miss the Application Security track at OpenText World 2025 
Security

Don’t miss the Application Security track at OpenText World 2025 

Secure your software. Supercharge your team.

September 08, 2025

4 min read

7 DevSecOps best practices for modern development teams 
Security

7 DevSecOps best practices for modern development teams 

How to embed security into every phase of software delivery without slowing down

July 16, 2025

4 min read

Stay in the loop!

Receive regular insights, updates, and resources—right in your inbox.

How can we help?