The software supply chain includes everything that touches an application or plays a role in its assembly, development, or deployment. Every component, person, activity, material, and procedure. And weakness anywhere introduces risk everywhere.
You need to protect your applications from upstream risk while preventing your organization from generating downstream risk.