A03: Software Supply Chain Failures

#What is a software supply chain failure?

Software Supply Chain Failures are security failures that enter your application through dependencies, build systems, CI/CD, or the way artifacts and credentials flow through your pipeline.

OWASP 2025 expanded this category beyond “vulnerable components” into broader supply chain failures across dependencies, build systems, and artifact flow.

#Typical Laravel failure

• Blind trust in Composer packages.
• No dependency review.
• Outdated packages, abandoned packages, compromised packages.
• No lockfile discipline, no SBOM, no CI security checks.

#Impact

• Remote code execution or data exfiltration via compromised dependencies.
• Dependency confusion / typosquatting leading to malicious installs.
• Reproducibility failures (different builds in CI vs production).
• Credential leakage from CI or build steps.

#Laravel 12 remediation

• Pin dependencies with composer.lock (commit it; deploy from it).
• Run composer audit in CI.
• Remove abandoned/unmaintained packages.
• Only use trusted packages with real maintenance history.
• Enforce signed CI/CD, protected branches, review gates, and least privilege in publishing/build pipelines.
• Separate developer, CI, and production credentials.
• Track transitive dependencies (not just direct requirements).

#Concrete fix

Run these routinely (and in CI):

composer audit
composer outdated

#Design pattern angle

Wrap third-party SDKs behind Adapter interfaces so you can swap or quarantine a compromised vendor quickly. Use Facades sparingly around third-party SDKs; direct package coupling is lazy and expensive later.

interface Payments
{
    public function charge(int $amountCents, string $currency, string $token): string;
}
 
final class StripePaymentsAdapter implements Payments
{
    public function __construct(private \Stripe\StripeClient $stripe) {}
 
    public function charge(int $amountCents, string $currency, string $token): string
    {
        $intent = $this->stripe->paymentIntents->create([
            'amount' => $amountCents,
            'currency' => $currency,
            'payment_method' => $token,
            'confirm' => true,
        ]);
 
        return (string) $intent->id;
    }
}

#References

• https://laravel.com/docs/12.x/deployment
• https://laravel.com/docs/12.x/configuration
• https://laravel.com/docs/12.x/packages