A supply chain attack targets less-secure elements in a software or hardware supply chain rather than attacking the final target directly. The SolarWinds breach of 2020 is the defining example: attackers compromised a software update mechanism used by thousands of organizations.
Supply chain attacks are particularly dangerous because they exploit trust relationships. When a vendor’s software is already approved inside your network, malicious code riding in a legitimate update bypasses many traditional security controls.
CISSP Relevance
Supply chain security appears in Domain 1 (Security and Risk Management) and Domain 3 (Security Architecture and Engineering). CISSP candidates must understand vendor assessment, software integrity verification, and how to structure contracts and audits to reduce third-party risk.
External reference: CISA ICT Supply Chain Risk Management
Related terms: Threat Modeling, Risk Management