文学文享（94）：软件供应链概念分享

摘要：Today, the editor will interpret and share "The concept of software supply chain" from the three sections of "mind map, intensive

分享兴趣，传播快乐，增长见闻，留下美好。

亲爱的您，这里是LearningYard新学苑！

今天小编为大家带来知识分享。

欢迎您的访问！

Share interest, spread happiness, increase knowledge, and leave beautiful.

Dear, this is the LearingYard New Academy!

Today, the editor brings you the knowledge sharing.

Welcome to visit!

1 内容摘要（Content summary）

今天小编将从“思维导图、精读内容、知识补充”三个板块，解读分享软件供应链的概念。

Today, the editor will interpret and share "The concept of software supply chain" from the three sections of "mind map, intensive reading content, and knowledge supplement".

2 思维导图（Mind mapping）

3 精读内容（Intensive reading content）

软件行业目前正在快速发展，开源软件成为了业界的主流形态，同时软件供应链也越来越复杂且多样，安全风险不断加剧，软件供应链成为了影响软件安全的关键因素之一。在探讨软件供应链安全之前，有必要对软件供应链的概念进行了解，有一个具体的认知，认识到其与其他传统供应链的不同。

The software industry is currently developing rapidly, and open source software has become the mainstream form of the industry. At the same time, the software supply chain is becoming increasingly complex and diverse, and security risks are constantly increasing. The software supply chain has become one of the key factors affecting software security. Before exploring software supply chain security, it is necessary to understand the concept of software supply chain, have a specific understanding, and recognize its differences from other traditional supply chains.

文章中写道，目前行业内对软件供应链有多种理解，包括三种主流的理解方式，前两种都或多或少存在一定的片面性，故文章以第三种为主，即软件供应链是从原材料开始加工成消费者手中的最终产品并实施运营的全流程链条。

The article states that there are currently multiple understandings of software supply chain in the industry, including three mainstream ways of understanding. The first two have some degree of one sidedness, so the article focuses on the third one, which is the entire process chain of processing raw materials into the final product in the hands of consumers and implementing operations.

传统供应链的概念是一个由各种组织、人员、技术、活动、信息和资源组成的将商品或服务从供应商转移到消费者的手中的过程。软件供应链的概念，实为从传统的供应链概念种扩展而来，因为二者的产品在生命周期中有一定的相似性。

The concept of traditional supply chain is a process composed of various organizations, personnel, technologies, activities, information, and resources that transfer goods or services from suppliers to consumers. The concept of software supply chain is actually an extension of traditional supply chain concepts, as their products have certain similarities in their lifecycle.

软件供应链的生命周期包括原始组件、集成组件、软件产品和产品运营四个环节，这四者分别是指原材料、中间组件、交付到消费者手中的商品和为消费者提供的服务保障。因此软件供应链可理解为软件和系统的从生产到交付全过程，是一套自动化、标准化及规模化的持续交付流水线。

The lifecycle of a software supply chain includes four stages: raw components, integrated components, software products, and product operations. These four stages refer to raw materials, intermediate components, goods delivered to consumers, and service guarantees provided to consumers. Therefore, the software supply chain can be understood as the entire process of software and systems from production to delivery, which is an automated, standardized, and scaled continuous delivery assembly line.

与传统的供应链相似，软件供应链上不同环节可能会出现的问题，也要由相应的人来负责解决，如原始组件和集成组件阶段的问题，就应该由相应的组件供应商解决，而软件从业者实际要关注的就是自身软件产品开发的过程及后续运营的过程。

Similar to traditional supply chains, problems that may arise in different links of the software supply chain should also be solved by corresponding personnel. For example, problems in the original and integrated component stages should be solved by the corresponding component suppliers. Software practitioners actually need to pay attention to the process of their own software product development and subsequent operation.

软件供应链和传统供应链的安全性之间既存在共性，也存在差异性。共性是攻击者都会攻击供应链较为脆弱的部分，然后使上下游被污染，而差异性在于软件供应链的受攻击面更大，攻击难度较低，且攻击可能发生在生命周期的任何阶段，同时有高传播性和强隐蔽性，而非聚焦在瞬间的破坏力上。

There are both similarities and differences in the security between software supply chain and traditional supply chain. The commonality is that attackers will attack the more vulnerable parts of the supply chain and contaminate the upstream and downstream, while the difference is that the software supply chain has a larger attack surface, lower attack difficulty, and attacks may occur at any stage of the lifecycle, with high propagation and strong concealment, rather than focusing on instantaneous destructive power.