Akademik Veri Yönetim Sistemi
JOURNAL OF INFORMATION SECURITY AND APPLICATIONS, cilt.97, 2026 (SCI-Expanded, Scopus)
The software product is a source of cyber-attacks that target organizations by using their software supply chain (SSC) as a distribution vector. As the reliance of software projects on open-source or proprietary modules is increasing drastically, SSC is becoming more and more critical and, therefore, has attracted the interest of cyber attackers. While existing studies primarily focus on software supply chain attacks' prevention and detection methods, there is a need for a broad overview of attacks and comprehensive risk assessment for software supply chain security. This study conducts a systematic literature review to fill this gap. By analyzing 96 papers published between 2015-2023, we identified 19 distinct SSC attacks, including 6 novel attacks highlighted in recent studies. Additionally, we developed 25 specific security controls and established a precisely mapped taxonomy that transparently links each control to one or more specific attacks. By establishing this relationship, we demonstrate how SSC security controls are strategically designed to counteract specific attack vectors. Furthermore, we emphasize the role of risk assessment as a foundational step in understanding and prioritizing these vulnerabilities. This study introduces a risk assessment methodology tailored to software supply chain environments, focusing on identifying vulnerabilities in software components, dependencies, and suppliers. The proposed methodology enables organizations to systematically prioritize threats and implement appropriate mitigation strategies.