Supply Chain Security Project: Primer

Terms you should know

Last Week: You should learn AWS Security Hub CSPM

Next Week: Supply Chain Security Project 📦 ⚔️

This Week: Supply Chain Security Project: Primer

---

The Supply Chain Security Project is proving more involved than anticipated and isn’t quite ready yet, I thought this would be the perfect opportunity to get you familiar with some key terms and concepts you’ll need to understand for next week’s episode of Cyber Notes.

This might not be for everyone.

I realise that a large section of my audience just want to some cool simple Cloud Security Projects they can follow along with. That’s nice for learning early days but it’s not going help land you a job, trust me.

When I’m learning something new, it’s often all the new terms, concepts etc that make it feel overwhelming… Think of this as your primer, the foundational vocabulary that will make the bigger picture much clearer.

Dependencies: The Building Blocks of Modern Software

When you’re developing a web application that needs a backend database, your application depends on libraries that handle those database interactions. Without them, your app simply won’t work.

There are two main types of dependencies:

Direct Dependencies: These are the libraries you actually import directly into your code to make your application function.

Transitive Dependencies: These are the libraries that your imported libraries depend on to run and work properly. You might never directly interact with them, but they’re needed for your direct dependencies to function.

As you can imagine, this dependency web gets messy very quickly.

Package vs Library: What’s the Difference?

• Library = The actual code (functions & modules) that provides functionality

• Package = A way to organise, bundle, and distribute one or more libraries

A Simple Example

Let’s say you write a math utilities library in mymath.py:

# mymath.py  
def add(a, b):
    return a + b

def multiply(a, b):
    return a * b

This is a library - reusable code you can import:

# main.py
from mymath import add, multiply

print(add(2, 3))      # 5
print(multiply(4, 5)) # 20

To turn this into a package, you’d organise it for distribution:

mymath_package/
│
├── mymath/
│   ├── __init__.py
│   ├── add.py
│   └── multiply.py
│
├── setup.py
└── README.md

Now it’s bundled as a package that can be installed with pip install.

Don’t worry if you feel lost, this stuff is hard to learn.

Managing this

Managing these dependencies is challenging. You need proper management tools like NPM (JavaScript) or PIP (Python) to install, update, and remove packages without creating conflicts.

You also get dependency management software that can analyse your dependencies, ensure they work together, and track changes.

Finally, we have build tools like Make or Gradle that automate code compilation, source code linking with libraries, and executable creation.

Where Are Dependencies Defined?

Manifest Files = The instruction booklet

• Says which packages you need: “I need a red car, a green house, and a yellow rocket”

• Doesn’t always care about exact versions, just general requirements like “I need Lego car version 1.x”

Lockfiles = The shopping receipt

• Records exactly what you got, including precise versions: “You got Lego car version 1.2.3, house version 3.4.5, rocket version 2.0.1”

Examples:

• JavaScript: package.json (manifest) + package-lock.json (lockfile)

• Python: requirements.in (manifest) + requirements.txt (lockfile)

But Wait, There’s More: SBOMs

This might sound similar to a Software Bill of Materials, but it’s not quite the same thing.

The lockfile is used by the package manager for dependency resolution.

But an SBOM is for security and compliance - it contains EVERYTHING inside your software, including your dependencies, plus licenses and vulnerabilities in a standardised format like CycloneDX or SPDX.

Here’s what an SBOM snippet looks like:

{
  “bomFormat”: “CycloneDX”,
  “specVersion”: “1.5”,
  “version”: 1,
  “metadata”: {
    “component”: {
      “type”: “application”, 
      “name”: “my-python-app”,
      “version”: “1.0.0”
    }
  },
  “components”: [
    {
      “type”: “library”,
      “name”: “flask”, 
      “version”: “3.0.2”,
      “licenses”: [{”license”: {”id”: “BSD-3-Clause”}}]
    }
  ]
}

Next Week

Now that you’re armed with these fundamental concepts, next week’s deep dive into Supply Chain Security will make much more sense.

---

WJPearce - Cyber Notes

Enjoyed this? Why not check out my other reads…

The Ultimate Docker Project🐋

Part Two: The Ultimate Docker Project 🐋

The AWS Starter Pack

Easy Cloud DevOps Project🔧

New AWS Account Step-by-Step Guide✔️

Beginner AI Cloud CV Project📝

SQL Injection: Made Simple 💉

The Ultimate Cloud Project ☁️

Easy Cloud Automation Project ⚙️