★ Best Paper of Track
ASBBS 33rd Annual Conference 2026
Build Environment Risk Governance: A Zero-Trust Framework for Software Supply Chain Visibility
Software supply chain attacks have increased by over 700% since 2019, with the average breach costing organizations $4.45 million. While regulatory frameworks increasingly mandate Software Bills of Materials (SBOMs) for component transparency, a critical governance gap persists: organizations lack visibility into the build environments where software is assembled. This research introduces a risk management framework grounded in zero-trust principles from NIST 800-207 that extends supply chain governance to include build environment metadata. A 60-day pilot deployment across 30 repositories demonstrated that 67% contained configurations vulnerable to supply chain compromise, yet only 12% would trigger traditional compliance alerts, representing substantial unquantified business risk.
Key Findings
67%
of repositories had supply chain injection vulnerabilities
12%
would trigger traditional compliance alerts
100%
organizational coverage on day one with zero developer friction
Keywords