stevespringett
commented
3 years ago The Atlantic Council recently published a paper on software supply chain risk, which covers many of the types of things that OWASP SCVS attempts to highlight.
This should hopefully provide some data and references necessary to strengthen the case for turning A9 into a broader software supply chain category.
Since 2013, A9 has been a single risk in a domain where there are hundreds of potential risks, many of which impact security.
IMO, "Using components with known vulnerabilities" is too specific and continues to reinforce a fallacy that this is the only (or worst) of the security threats. It's not. A call for data in this category however, may reveal very little insight other than "Using components with known vulnerabilities". This is partially due to the limited scope and visibility that SCA tools have.
The Component Analysis wiki article contains about a dozen areas of concern.
In addition, the OWASP Software Component Verification Standard (SCVS) currently has a list of about 100 activities, processes, and best practices that aim to reduce software supply chain risk. This project is just getting started but may provide some value in attempting to determine how to better categorize A9 in the future.