Thanks for the comment. I think you made an important point that "Attacks that rely on/reap the benefits of implicit or explicit trust in a supply chain, are all IMHO worth examining under a supply chain lens."
I agree with this framing, but the problem for me is the inability to draw a bright line between different types of attacks using…
Thanks for the comment. I think you made an important point that "Attacks that rely on/reap the benefits of implicit or explicit trust in a supply chain, are all IMHO worth examining under a supply chain lens."
I agree with this framing, but the problem for me is the inability to draw a bright line between different types of attacks using this rubric. An organization "trusts" its developers to not be malicious, so when they prove otherwise, I think it's hard to call that a "supply chain attack" (not that this is what you are saying).
I made my definition very tight to avoid this ambiguity, but it's quite possible that I left out some things from my definitions that should qualify from a practical sense.
Thanks for the comment. I think you made an important point that "Attacks that rely on/reap the benefits of implicit or explicit trust in a supply chain, are all IMHO worth examining under a supply chain lens."
I agree with this framing, but the problem for me is the inability to draw a bright line between different types of attacks using this rubric. An organization "trusts" its developers to not be malicious, so when they prove otherwise, I think it's hard to call that a "supply chain attack" (not that this is what you are saying).
I made my definition very tight to avoid this ambiguity, but it's quite possible that I left out some things from my definitions that should qualify from a practical sense.