Book

Supply-Chain Attack Field Guide

The manuscript is written for engineers who need the attack path, the failure points, and the defender’s response in one place.

Back to Books Discuss this work
BookDrafting nowPro membership26 chapters in progress

Banjico treats the supply chain as part of the product. If package trust, CI identity, release automation, or AI-generated deception is abused, the system has already been pulled past the edge of the application.

Why this book exists

A field guide for treating software supply chains as security boundaries.

The book starts from a simple premise: the system that builds and ships software is part of the attack surface. Package registries, signing flows, CI identities, release automation, and even AI-generated output all carry trust that has to be designed and defended.

  1. Map the trust boundaries before you compare packages.
  2. Treat automation identities like production credentials.
  3. Assume release workflows are an attack surface, not a convenience layer.

Current chapter arc

The first chapters cover the attack surface, the attacker’s workflow, and the most common blind spots.

  1. Chapter 1: The modern supply chain is a security boundary.
  2. Chapter 2: How attackers move from dependency trust to execution.
  3. Chapter 3: Identity, signing, and the release pipeline.
  4. Chapter 4: The hidden cost of AI-generated deception.
  5. Chapter 5: Practical defenses for small teams.

The easiest way to lose a system is to trust the easiest path into it.

Banjico working note

Reference base

The manuscript is grounded in official guidance and primary sources.

References