The software product is a source of cyber-attacks that target organizations by using their software supply chain as a distribution vector. As the reliance of software projects on open-source or proprietary modules is increasing drastically, SSC is becoming more and more critical and, therefore, has attracted the interest of cyber attackers. While existing studies primarily focus on software supply chain attacks' prevention and detection methods, there is a need for a broad overview of attacks and comprehensive risk assessment for software supply chain security. This study conducts a systematic literature review to fill this gap. We analyze the most common software supply chain attacks by providing the latest trend of analyzed attacks, and we identify the security risks for open-source and third-party software supply chains. Furthermore, this study introduces unique security controls to mitigate analyzed cyber-attacks and risks by linking them with real-life security incidence and attacks.

翻译：软件产品是通过其软件供应链作为分发向量，针对组织发起网络攻击的来源。随着软件项目对开源或专有模块的依赖性急剧增加，软件供应链（SSC）正变得越来越关键，并因此吸引了网络攻击者的兴趣。现有研究主要集中于软件供应链攻击的预防和检测方法，但缺乏对攻击的广泛概述以及针对软件供应链安全的全面风险评估。本研究通过系统文献综述来填补这一空白。我们通过分析最常发的软件供应链攻击并呈现其最新趋势，识别了开源与第三方软件供应链的安全风险。此外，本研究通过将安全控制与实际安全事件及攻击相关联，引入了独特的安全控制措施，以缓解所分析的网络攻击与风险。