The software supply chain is a vital component of successful software development organizations. However, incidents such as the 2020 Solarwinds attack, the 2021 Log4J vulnerability (Log4Shell), the 2024 xz backdoor (CVE-2024-3094), and the 2025 “tj-actions/changed-files” supply chain attack (CVE-2025-30066) have demonstrated how easily backdoors and breaches in the software supply chain can be exploited, impacting organizations and individuals globally. The Log4J vulnerability, in particular, is notable due to its widespread deployment and the staggering 10 million exploitation attempts per hour reported just one month after its discovery. Just one month after being discovered, the Wall Street Journal had identified a staggering 10 million exploitation attempts per hour.
Organizations that implement robust secure software supply chain tools and practices are able to respond faster to such incidents, thanks to increased visibility and transparency. But a rising tide lifts all boats and a secure software supply chain would significantly mitigate the risk of such attacks by ensuring the integrity and authenticity of software dependencies from development to deployment, preventing malicious code or unauthorized modifications.
The Cloud Native Public Sector User Group2 was formed in 2023 to serve as a hub for discussing and advancing cloud computing within the public sector. Alongside enumerating current best practices, we are dedicated to improving public sector workflows and supply chain security by advocating for the development and implementation of secure and resilient cloud-native software found within the public sector.
In this whitepaper, we aim to clearly address the current and future challenges of securing the public sector software supply chain, and propose long-term, sustainable solutions for using open source technologies to meet the needs of government systems, whilst ensuring cost-effective solutions exist for the software supply chain.
Read the full report below.