Securing the Software Supply Chain, One Step at a Time