SOFTWARE SUPPLY CHAIN SECURITY ANALYSIS
DOI:
https://doi.org/10.28925/2663-4023.2025.29.820Keywords:
cybersecurity, API protection, CI/CD, software supply chain, threat analysisAbstract
This article addresses the pressing issue of securing application programming interfaces (APIs) in cloud environments within the broader context of software supply chain protection. Given the widespread adoption of microservice architectures and open REST/GraphQL APIs, the need to defend APIs against attacks has become critically important. The paper presents a formalization of the software supply chain model, which serves as the basis for analyzing potential attack vectors at each stage of the chain — from the compromise of repositories, dependencies, and CI/CD servers to artifact storage and deployment environments. Special attention is given to two key security mechanisms: the Web Application Firewall (WAF) and the API Gateway. A comparative analysis is provided covering their functionality, request handling approaches, security levels, logging methods, and integration into cloud infrastructures. The study identifies that WAFs detect and block HTTP-level attacks — such as SQL injections, XSS, and CSRF — based on signatures or behavioral rules, while API Gateways act as intermediaries managing request routing, authentication, authorization, access policies, and API call control. The research findings demonstrate that WAFs and API Gateways are not interchangeable but should be used as complementary components. The article proposes a combined cloud-based API protection model in which the WAF provides perimeter control and the API Gateway enforces logical access control. Additionally, it presents methods for evaluating the effectiveness of these mechanisms, including empirical testing in sandboxed environments, comparative benchmarking under various configurations, and threat modeling. Finally, the paper outlines several unresolved challenges and directions for further research in API and CI/CD security within cloud environments.
Downloads
References
Türetken B. Enhancing security with cloud-based API management : Dissertation. Stockholm, 2024. 83 p. URL: https://www.diva-portal.org/smash/get/diva2:1903654/FULLTEXT01.pdf (date of access: 07.05.2025).
Dasher J. Why do I need API security if I have a WAF and API gateway?. cequence.ai. URL: https://www.cequence.ai/blog/api-security/why-do-i-need-api-security-if-i-have-a-waf-and-api-gateway (date of access: 07.05.2025).
McNaught B. API security best practices. ISC2. URL: https://www.isc2.org/Insights/2023/08/api-security-best-practices-in-the-hybrid-multi-cloud-digital-world#:~:text=were%20four%20key%20approaches:%20Web,going%20to%20be%20the%20converse” (date of access: 07.05.2025).
Cosgrove J., Andreev I. A. Protecting GraphQL APIs from Malicious Queries. The Cloudflare Blog. URL: https://blog.cloudflare.com/protecting-graphql-apis-from-malicious-queries/ (date of access: 07.05.2025).
What is a CI/CD pipeline?. Red Hat - We make open source technologies for the enterprise. URL: https://www.redhat.com/en/topics/devops/what-cicd-pipeline (date of access: 07.05.2025).
GitLab. What is a code review?. The most-comprehensive AI-powered DevSecOps platform | GitLab. URL: https://about.gitlab.com/topics/version-control/what-is-code-review/ (date of access: 07.05.2025).
Khanas M. L., Baranovskyi O. M. The Current State of Kubernetes Security: Utilization of Existing Tools and Approaches for Penetration Testing. XXI All-Ukrainian Scientific and Practical Conference for Students, Postgraduates, and Young Scientists "Theoretical and Applied Problems of Physics, Mathematics, and Informatics": conference proceedings, Kyiv, May 11–12, 2023. Kyiv, 2023.
Alghawli A. S. A., Radivilova T. Resilient cloud cluster with DevSecOps security model, automates a data analysis, vulnerability search and risk calculation. Alexandria Engineering Journal. 2024. Vol. 107. P. 136–149. URL: https://doi.org/10.1016/j.aej.2024.07.036 (date of access: 23.05.2025).
Design of mechanisms for ensuring the execution of tasks in project planning / O. Mulesa et al. Eastern-European Journal of Enterprise Technologies. 2023. Vol. 2, no. 4 (122). P. 16–22. URL: https://doi.org/10.15587/1729-4061.2023.277585 (date of access: 23.05.2025).
Development of Secure Containerized Applications with a Microservices Architecture / S. Spasiteleva et al. Cybersecurity: Education, Science, Technique. 2023. Vol. 1, no. 21. P. 193–210. URL: https://doi.org/10.28925/2663-4023.2023.21.193210 (date of access: 23.05.2025).
Novikova D. O. Research on Methods for Securing Software Supply Chains: explanatory note to the qualification thesis of the second (master's) level higher education applicant, specialty 125 Cybersecurity / D. O. Novikova; Ministry of Education and Science of Ukraine, Kharkiv National University of Radio Electronics. – Kharkiv, 2024. – 90 p.
Kivilis Y., Sadhu S. Preventing API breaches using salt security with AWS WAF and amazon API gateway | amazon web services. Amazon Web Services. URL: https://aws.amazon.com/blogs/apn/preventing-api-breaches-using-salt-security-with-aws-waf-and-amazon-api-gateway (date of access: 07.05.2025).
OWASP top 10 API security risks – 2023 - OWASP API security top 10. OWASP Foundation, the Open Source Foundation for Application Security | OWASP Foundation. URL: https://owasp.org/API-Security/editions/2023/en/0x11-t10/ (date of access: 07.05.2025).
Ponaka K. R. API security - protecting the backbone of digital transformation. Journal of mathematical & computer applications. 2023. P. 1–5. URL: https://doi.org/10.47363/jmca/2024(2)e129 (date of access: 07.05.2025).
Anand V. API Security with Apigee and Google Cloud Armor | Google Cloud Blog. URL: https://cloud.google.com/blog/products/api-management/api-security-with-apigee-and-google-cloud-armor (date of access: 07.05.2025).
Published
How to Cite
Issue
Section
License
Copyright (c) 2025 Андрій Скіп, Юрій Баришев
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
