Badis Hammi,Sherali Zeadally

DOI: https://doi.org/10.1109/mc.2023.3273491

2023-07-01

Computer

Abstract:Software application development involves various actors and organizations in what is called the software supply chain. We discuss how we can achieve strong resilience of the software supply chain to cyberthreats and then propose a holistic end-to-end security approach for the software supply chain.

computer science, software engineering, hardware & architecture

Marcela S. Melara,Mic Bowman

DOI: https://doi.org/10.48550/arXiv.2209.04006

2022-09-08

Cryptography and Security

Abstract:The software supply chain involves a multitude of tools and processes that enable software developers to write, build, and ship applications. Recently, security compromises of tools or processes has led to a surge in proposals to address these issues. However, these proposals commonly overemphasize specific solutions or conflate goals, resulting in unexpected consequences, or unclear positioning and usage. In this paper, we make the case that developing practical solutions is not possible until the community has a holistic view of the security problem; this view must include both the technical and procedural aspects. To this end, we examine three use cases to identify common security goals, and present a goal-oriented taxonomy of existing solutions demonstrating a holistic overview of software supply chain security.

Motunrayo Oluremi Ibiyemi,David Olanrewaju Olutimehin

DOI: https://doi.org/10.51594/ijmer.v6i6.1241

2024-06-24

International Journal of Management & Entrepreneurship Research

Abstract:This review paper explores the evolving landscape of cybersecurity threats within supply chains, highlighting strategic measures necessary to mitigate these risks. As supply chains integrate more deeply with digital technologies and global networks, they become more vulnerable to sophisticated cyber attacks that can severely disrupt operational integrity and security. This paper synthesizes existing literature to outline the major cybersecurity challenges faced by supply chains, examining case studies and best practices from various industries. Our findings underscore the prevalent threats such as ransomware, phishing, and insider attacks, which exploit the complex interdependencies and digital interfaces in supply chains. The review identifies effective strategic responses, including the integration of comprehensive cybersecurity frameworks, enhanced inter-organizational cooperation, and the implementation of real-time threat detection systems. Conclusively, the paper advocates for a holistic and proactive approach to cybersecurity, emphasizing continuous improvement and adaptive strategies to protect against the dynamic nature of cyber threats in supply chain contexts. Keywords: Cybersecurity, Supply Chain Management, Risk Assessment, Continuous Monitoring, Incident Response, Blockchain Technology, Artificial Intelligence (AI), Collaboration and Information Sharing, Cyber Threats, Emerging Technologies.

Betul Gokkaya,Leonardo Aniello,Basel Halak

DOI: https://doi.org/10.48550/arXiv.2305.14157

2023-05-23

Cryptography and Security

Abstract:The software product is a source of cyber-attacks that target organizations by using their software supply chain as a distribution vector. As the reliance of software projects on open-source or proprietary modules is increasing drastically, SSC is becoming more and more critical and, therefore, has attracted the interest of cyber attackers. While existing studies primarily focus on software supply chain attacks' prevention and detection methods, there is a need for a broad overview of attacks and comprehensive risk assessment for software supply chain security. This study conducts a systematic literature review to fill this gap. We analyze the most common software supply chain attacks by providing the latest trend of analyzed attacks, and we identify the security risks for open-source and third-party software supply chains. Furthermore, this study introduces unique security controls to mitigate analyzed cyber-attacks and risks by linking them with real-life security incidence and attacks.

Md Jobair Hossain Faruk,Masrura Tasnim,Hossain Shahriar,Maria Valero,Akond Rahman,Fan Wu

DOI: https://doi.org/10.1109/ISSREW55968.2022.00081

2022-01-01

Abstract:Software supply chain attacks occur during the processes of producing software is compromised, resulting in vulnerabilities that target downstream customers. While the number of successful exploits is limited, the impact of these attacks is significant. Despite increased awareness and research into software supply chain attacks, there is limited information available on mitigating or architecting for these risks, and existing information is focused on singular and independent elements of the supply chain. In this paper, we extensively review software supply chain security using software development tools and infrastructure. We investigate the path that attackers find is least resistant followed by adapting and finding the next best way to complete an attack. We also provide a thorough discussion on how common software supply chain attacks can be prevented, preventing malicious hackers from gaining access to an organization's development tools and infrastructure including the development environment. We considered various SSC attacks on stolen code-sign certificates by malicious attackers and prevented unnoticed malware from passing by security scanners. We are aiming to extend our research to contribute to preventing software supply chain attacks by proposing novel techniques and frameworks.

Olubunmi Adeolu Adenekan,Chinedu Ezeigweneme,Excel Great Chukwurah

DOI: https://doi.org/10.51594/ijmer.v6i5.1125

2024-05-12

International Journal of Management & Entrepreneurship Research

Abstract:This review paper explores the multifaceted realm of cybersecurity within IT supply chains, addressing the intricate challenges posed by digital vulnerabilities, high-profile cyber incidents, and emerging threats. It highlights the criticality of continuous risk assessment, the implementation of international security standards, and the necessity for enhanced management of third-party vendors. The paper also delves into advanced technological solutions like blockchain, AI, and machine learning for bolstering security, advocating for best practices including the zero-trust model, regular employee training, and secure software development. Emphasizing a proactive over a reactive approach, the paper underscores the evolving nature of cyber threats and the imperative for adaptive strategies. It calls for concerted efforts from businesses, policymakers, and IT professionals to prioritize and continuously refine cybersecurity measures in safeguarding IT supply chains against future threats. Keywords: IT Supply Chain, Cybersecurity, Risk Management, Blockchain, Zero-Trust Model, Artificial Intelligence.

Dr. Arjita Mishra,,Nidhi Gupta,Gautam Kumar Jha

DOI: https://doi.org/10.59256/ijire.20240502025

2024-04-11

Abstract:In an increasingly interconnected world, supply chain resilience has emerged as a critical factor for businesses to navigate disruptions and uncertainty. This paper delves into the dynamic landscape of supply chain management, emphasizing the need for organizations to adapt and fortify their operations against a myriad of challenges, ranging from natural disasters to geopolitical tensions and pandemics. Drawing on a comprehensive review of existing literature and real-world case studies, this research explores the key components of supply chain resilience and identifies best practices for building robust systems. It examines the role of technology, collaboration, and risk management strategies in enhancing resilience across various industry sectors. Furthermore, this paper sheds light on the impact of recent global disruptions, such as the COVID-19 pandemic, on supply chains worldwide, highlighting both the vulnerabilities exposed and innovative responses adopted by organizations. A nuanced analysis elucidates the lessons learned and opportunities for improvement in supply chain resilience frameworks. By synthesizing insights from academia and industry, this study offers practical recommendations for executives and policymakers to bolster supply chain resilience in an era characterized by volatility and complexity. It underscores the imperative for proactive measures, agile strategies, and continuous monitoring to mitigate risks and ensure operational continuity in the face of uncertainty. Ultimately, this research contributes to a deeper understanding of supply chain resilience as a strategic imperative, empowering organizations to thrive amidst global disruptions and safeguard the flow of goods and services in an interconnected global economy.

Krishna Hajarath,Jayapal Vummadi

DOI: https://doi.org/10.47604/ijscm.2530

2024-05-03

International Journal of Supply Chain Management

Abstract:Purpose: This paper aims to review various risk management strategies as well as measure its capability as an instrument to strengthen the chain resilience in the backdrop of the present-day economic environment. Methodology: The paper utilizes well-known literature review techniques to gather and analyze the strategies including diversification, collaboration, technology adoption, and contingency planning that not only avoid supply chain risks but also create resiliency in organizations. It is focused on the root causes, effects, and aftermath of supply chain disruptions; the potential solutions to counter these problems are also evaluation by this process. Findings: The study points out that the traditional risk management approaches are not enough, and suggests implementing the techniques such as mapping of the supply chain, supplier diversification and investment in digital technologies like block chain, cloud computing and cyber security. These approaches aid in boosting the supply chain resilience by providing transparency, enabling backup inventory management, and improving collaboration and efficiency within the supply chain operations. Unique Contribution to Theory, Practice and Policy: The study complements the existing body of knowledge by offering a detailed overview of risk management strategies that can be implemented for the purpose of supply chain resilience. It provides with concrete suggestions on issues of diversity, the use of new technologies, and of coordination to strengthen the chains of supply against disruptions. Furthermore, the research calls for policy intervention to enable the utilization of the above-discussed strategies and increase supply chain resilience at a broader level as well.

Beatriz M. Reichert,Rafael R. Obelheiro

DOI: https://doi.org/10.1080/1206212x.2024.2390978

2024-08-21

International Journal of Computers and Applications

Abstract:In recent years, software supply chain security has attracted significant research attention. This research subject is concerned both with the security of infrastructures used to build software and deliver it to end users and with the security of software that contains external dependencies such as third-party packages and libraries, and its chief goal is to ensure that no vulnerabilities are introduced in the path between developers and users. This paper presents a Systematic Literature Review to identify knowledge gaps in software supply chain security. For this, we considered studies published between 2012 and 2023 in the search engines of IEEE Xplore, ACM Digital Library, Engineering Village, Scopus, and arXiv. Of the 2051 studies obtained in the primary survey, only 85 are relevant for this research. Analyzing the studies, we observed gaps such as little discussion of software supply chains that involve cloud components, few proposals focused on the software distribution process, and a lack of use of threat modeling frameworks to help identify threats to the supply chain and validate the results.

Krishna Hajarath,Jayapal Vummadi

DOI: https://doi.org/10.47604/ijscm.2633

2024-06-03

International Journal of Supply Chain Management

Abstract:Purpose: This paper emphasizes the significance of proactive strategies in enhancing supply chain resilience against disruptions, focusing on natural disasters, geopolitical instability, and pandemics. Through risk assessment, scenario planning, and proactive measures like diversification, inventory optimization, and technology adoption, it proposes an integrated methodology for resilient supply chains. Methodology: Drawing from literature and real-world examples, this study develops a framework for supply chain resilience, emphasizing contingency planning and implementation techniques. Findings: The integrated methodology enhances companies' resilience and recovery capacity, mitigating the severity of disruption effects. Practical recommendations are offered for developing resilient supply chains in uncertain business environments. Unique Contribution to Theory, Practice and Policy: This study contributes by offering actionable recommendations, bridging theory and practice, to fortify supply chains against instability and uncertainty, thereby advancing both theoretical understanding and practical applications in supply chain resilience planning.

Eman Abu Ishgair,Marcela S. Melara,Santiago Torres-Arias

2024-05-29

Abstract:The software supply chain comprises a highly complex set of operations, processes, tools, institutions and human factors involved in creating a piece of software. A number of high-profile attacks that exploit a weakness in this complex ecosystem have spurred research in identifying classes of supply chain attacks. Yet, practitioners often lack the necessary information to understand their security posture and implement suitable defenses against these attacks. We argue that the next stage of software supply chain security research and development will benefit greatly from a defense-oriented approach that focuses on holistic bottom-up solutions. To this end, this paper introduces the AStRA model, a framework for representing fundamental software supply chain elements and their causal relationships. Using this model, we identify software supply chain security objectives that are needed to mitigate common attacks and systematize knowledge on recent and well-established security techniques for their ability to meet these objectives. We validate our model against prior attacks and taxonomies. Finally, we identify emergent research gaps and propose opportunities to develop novel software development tools and systems that are secure-by-design.

Cryptography and Security

Chinenye Okafor,Taylor R. Schorlemmer,Santiago Torres-Arias,James C. Davis

2024-06-14

Abstract:This paper systematizes knowledge about secure software supply chain patterns. It identifies four stages of a software supply chain attack and proposes three security properties crucial for a secured supply chain: transparency, validity, and separation. The paper describes current security approaches and maps them to the proposed security properties, including research ideas and case studies of supply chains in practice. It discusses the strengths and weaknesses of current approaches relative to known attacks and details the various security frameworks put out to ensure the security of the software supply chain. Finally, the paper highlights potential gaps in actor and operation-centered supply chain security techniques

Cryptography and Security,Software Engineering

Jeferson Martínez,Javier M. Durán

DOI: https://doi.org/10.18280/ijsse.110505

2021-10-31

International Journal of Safety and Security Engineering

Abstract:Exploitation of a vulnerability that compromised the source code of the Solar Winds’ Orion system, a software that is used widely by different government and industry actors in the world for the administration and monitoring of networks; brought to the fore a type of stealth attack that has been gaining momentum: supply chain attacks. The main problem in the violation of the software supply chain is that, from 85% to 97% of the code currently used in the software development industry comes from the reuse of open source code frameworks, repositories of third-party software and APIs, creating potential vulnerabilities in the development cycle of a software product. This research analyzes the SolarWinds case study from an exploratory review of academic literature, government information, but also from the articles and reports that are published by different cybersecurity consulting firms and software providers. Then, a set of good practices is proposed such as: Zero trust, Multi-Factor authentication mechanisms (MFA), strategies such as SBOM and the recommendations of the CISA guide to defend against this type of attack. Finally, the research discusses about how to improve response times and prevention against this type of attacks, also future research related to the subject is suggested, such as the application of Machine Learning and Blockchain technologies. Additionally for risk reduction, in addition to the management and articulation of IT teams that participate in all the actors that are part of the software life cycle under a DevSecOps approach.

Jawaher Albalushi,Rashmi Mishra,Melese Abebe

DOI: https://doi.org/10.26668/businessreview/2023.v8i12.4165

2023-12-18

International Journal of Professional Business Review

Abstract:Purpose: This study is aimed at supply chain resilience and quality management, which are critical in today's volatile global economy marked by various disruptions. The focus is on how these traditionally separate disciplines can be combined to enhance organizational performance. Theoretical framework: The theoretical framework revolves around the concepts of supply chain resilience, which includes elements like proactive risk assessment, adaptability, collaborative networks, strategic redundancies, and quality management principles. The research scrutinizes their interplay, revealing significant overlap and implications for organizational outcomes. Design/Methodology/Approach: An exploratory case study approach forms the core methodology, primarily utilizing secondary data to gain insights into real-world scenarios. This approach enables a deep understanding of the critical factors influencing supply chain resilience and the impact of quality management concepts on customer satisfaction and product/service quality in supply chain processes. The questionnaire is distributed to get insights into the company's practices. Findings: The findings indicate that integrating supply chain resilience with quality management leads to more sustained and improved organizational outcomes. A resilient supply chain is quicker to recover from disruptions, minimizing financial impacts. Concurrently, a steadfast focus on quality ensures customer satisfaction and loyalty. This integration offers synergistic benefits, contributing to operational efficiency, market competitiveness, and a more substantial brand reputation. Research, Practical & Social implications: The study provides insights into critical factors of supply chain resilience and their interconnections with quality management concepts. These insights can inform strategies for enhancing resilience and quality management in supply chains. Practically, the study offers a guide for organizations to adopt a unified approach that optimizes supply chain resilience and quality management. This approach is particularly relevant for organizations seeking to improve operational efficiency and customer satisfaction through better risk management and quality assurance processes. Socially, the study highlights the importance of resilient and high-quality supply chains in today’s business landscape by maintaining Sustainable Developmental Goals. Originality/Value: This research highlights how resilience, characterized by adaptability and robust recovery in disruptive scenarios, and stringent quality management, crucial for meeting customer expectations, are fundamental in modern supply chains. The study emphasizes the importance of a risk management culture and the role of digital technologies in enhancing supply chain resilience, underscoring their vital contributions during crises like the COVID-19 pandemic. Thus, this work offers valuable insights into achieving more resilient and high-quality supply chains in today's challenging business environment through the integration of Quality Management Tools.

Nusrat Zahan

DOI: https://doi.org/10.1109/ICSE-Companion58688.2023.00068

2023-05-01

Abstract:Sonatype has recorded an average 700% jump in software supply chain attacks [1], measured by the number of newly-published malicious packages in open-source repositories. The 2022 Synopsys report [2] assessed the reliance of the software industry on open-source software (OSS), and estimated that 97% of applications use OSS and 78% of the code comes from OSS. Practitioners did not anticipate how the software supply chain would become a deliberate attack vector and how the risk of the software supply chain would keep growing. Practitioners are more aware of the supply chain risks and want to know how to detect the implementation of package security practices and the security risk so they can make informed decisions to select dependencies for their projects. The goal of this research is to aid practitioners in producing more secure software products that are resistant to supply chain attacks through the identification and evaluation of actionable security metrics to detect risky components in the dependency graph. To achieve this goal, the thesis presents research on software security metrics evaluation in different ecosystems by leveraging software security frameworks, malicious attack vectors, and the OpenSSF Scorecard project to detect the implementation of secure practices and their significance to security outcomes.

Computer Science,Business,Engineering

Yijun Shen,Xiang Gao,Hailong Sun,Yu Guo

DOI: https://doi.org/10.1007/s10664-024-10581-2

IF: 3.762

2024-11-08

Empirical Software Engineering

Abstract:Due to the dependency relations among software, vulnerabilities in software supply chains (SSC) may cause more serious security threats than independent software systems. This poses new challenges for ensuring software security including the spread of risks and the increase in maintenance costs.

computer science, software engineering

Mansoor Shekarian,Mahour Mellat Parast

DOI: https://doi.org/10.1080/13675567.2020.1763935

2020-05-15

International Journal of Logistics Research and Applications

Abstract:A fundamental question in supply chain resilience is identifying its antecedents and investigating the relative importance of each antecedent in improving resilience to supply chain disruptions. In this paper, a comprehensive systematic literature review is conducted to assess the impact of each of the most widely known practices to enhance resilience (flexibility, agility, redundancy, and collaboration) on mitigating each type of supply chain disruption (demand, supply, process, control, and environmental disruptions). The literature review found that collaboration has been identified by the literature as the most important strategy to cope with control disruptions, and flexibility has been identified by the literature as the most important strategy to cope with demand, supply, process, and environmental disruptions. A framework is then developed for identifying the appropriate antecedents in improving resilience to different types of supply chain disruptions.

management

William Arthur Conklin,Dan Shoemaker,Anne Kohnke

DOI: https://doi.org/10.1080/07366981.2017.1355097

2017-08-03

EDPACS

Abstract:Due to the international nature of supply chains, organizations interact by proxy with suppliers that they have little or no knowledge of. Limited knowledge of suppliers’ security practices means less control over overall product security, which can increase corporate risk. Formal risk management is critical to the overall procurement process and the risk to the critical components throughout the acquisition lifecycle can be managed by installing proactive supply chain risk management (SCRM) key practices. A properly managed supply chain is a critical requirement in ensuring trust in an organization’s sourced products. We discuss the assurance process requirements as well as a well-defined and recognized set of system engineering practices that apply scientific and engineering principles to ensure systematic direction, control, and trust.

Martin Christopher,Hau Lee

DOI: https://doi.org/10.1108/09600030410545436

2004-06-01

Abstract:Today's marketplace is characterised by turbulence and uncertainty. Market turbulence has tended to increase for a number of reasons. Demand in almost every industrial sector seems to be more volatile than was the case in the past. Product and technology life‐cycles have shortened significantly and competitive product introductions make life‐cycle demand difficult to predict. At the same time the vulnerability of supply chains to disturbance or disruption has increased. It is not only the effect of external events such as wars, strikes or terrorist attacks, but also the impact of changes in business strategy. Many companies have experienced a change in their supply chain risk profile as a result of changes in their business models, for example the adoption of “lean” practices, the move to outsourcing and a general tendency to reduce the size of the supplier base. This paper suggests that one key element in any strategy designed to mitigate supply chain risk is improved “end‐to‐end” visibility. It is argued that supply chain “confidence” will increase in proportion to the quality of supply chain information.

management