Software supply chain attacks (e.g., SolarWinds, Log4j, XZ Utils) expose critical gaps in existing security frameworks’ coverage of real-world adversary techniques. Method: We systematically analyzed 106 threat intelligence reports and quantitatively assessed the coverage of 10 mainstream security frameworks—comprising 73 distinct mitigation tasks—against documented attack techniques. Using cross-framework task mapping and attack-technique-to-mitigation-task scoring, we identified coverage gaps and prioritized mitigation actions. Contribution/Results: We found that role-based access control (RBAC) implementation, system monitoring, and boundary protection are the highest-priority mitigation tasks. Critically, three tasks are universally absent across all frameworks: sustainable open-source software governance, integration of environment-scanning tools, and trusted verification of third-party dependencies. Even full adoption of current frameworks leaves substantial defensive blind spots. Our empirically grounded, prioritized mitigation task list supports organizational risk prioritization and framework enhancement.

Software supply chain frameworks, such as the US NIST Secure Software Development Framework (SSDF), detail what tasks software development organizations should adopt to reduce security risk. However, to further reduce the risk of similar attacks occurring, framework adopters (i.e., software organizations) would benefit from knowing what tasks mitigate attack techniques the attackers are currently using to help organizations prioritize and to indicate current framework task gaps that leave organizations vulnerable to attacks. The goal of this study is to aid software supply chain framework adopters in reducing the risk of attacks by systematically mapping the attack techniques used in the SolarWinds, Log4j, and XZ Utils attacks to mitigating framework tasks. We qualitatively analyzed 106 Cyber Threat Intelligence (CTI) reports of the 3 attacks to gather the attack techniques. We then systematically constructed a mapping between attack techniques and the 73 tasks enumerated in 10 software supply chain frameworks. Afterward, we established and ranked priority tasks that mitigate attack techniques. The three mitigation tasks with the highest scores are role-based access control, system monitoring, and boundary protection. Additionally, three mitigation tasks were missing from all ten frameworks, including sustainable open-source software and environmental scanning tools. Thus, software products would still be vulnerable to software supply chain attacks even if organizations adopted all recommended tasks.