William Enck,Yasemin Acar,Michel Cukier,Alexandros Kapravelos,Christian Kästner,Laurie Williams

DOI: https://doi.org/10.48550/arXiv.2308.06850

2023-08-13

Cryptography and Security

Abstract:Recent years have shown increased cyber attacks targeting less secure elements in the software supply chain and causing fatal damage to businesses and organizations. Past well-known examples of software supply chain attacks are the SolarWinds or log4j incidents that have affected thousands of customers and businesses. The US government and industry are equally interested in enhancing software supply chain security. On June 7, 2023, researchers from the NSF-supported Secure Software Supply Chain Center (S3C2) conducted a Secure Software Supply Chain Summit with a diverse set of 17 practitioners from 13 government agencies. The goal of the Summit was two-fold: (1) to share our observations from our previous two summits with industry, and (2) to enable sharing between individuals at the government agencies regarding practical experiences and challenges with software supply chain security. For each discussion topic, we presented our observations and take-aways from the industry summits to spur conversation. We specifically focused on the Executive Order 14028, software bill of materials (SBOMs), choosing new dependencies, provenance and self-attestation, and large language models. The open discussions enabled mutual sharing and shed light on common challenges that government agencies see as impacting government and industry practitioners when securing their software supply chain. In this paper, we provide a summary of the Summit.

Marcela S. Melara,Mic Bowman

DOI: https://doi.org/10.48550/arXiv.2209.04006

2022-09-08

Cryptography and Security

Abstract:The software supply chain involves a multitude of tools and processes that enable software developers to write, build, and ship applications. Recently, security compromises of tools or processes has led to a surge in proposals to address these issues. However, these proposals commonly overemphasize specific solutions or conflate goals, resulting in unexpected consequences, or unclear positioning and usage. In this paper, we make the case that developing practical solutions is not possible until the community has a holistic view of the security problem; this view must include both the technical and procedural aspects. To this end, we examine three use cases to identify common security goals, and present a goal-oriented taxonomy of existing solutions demonstrating a holistic overview of software supply chain security.

Badis Hammi,Sherali Zeadally

DOI: https://doi.org/10.1109/mc.2023.3273491

2023-07-01

Computer

Abstract:Software application development involves various actors and organizations in what is called the software supply chain. We discuss how we can achieve strong resilience of the software supply chain to cyberthreats and then propose a holistic end-to-end security approach for the software supply chain.

computer science, software engineering, hardware & architecture

Betul Gokkaya,Leonardo Aniello,Basel Halak

DOI: https://doi.org/10.48550/arXiv.2305.14157

2023-05-23

Cryptography and Security

Abstract:The software product is a source of cyber-attacks that target organizations by using their software supply chain as a distribution vector. As the reliance of software projects on open-source or proprietary modules is increasing drastically, SSC is becoming more and more critical and, therefore, has attracted the interest of cyber attackers. While existing studies primarily focus on software supply chain attacks' prevention and detection methods, there is a need for a broad overview of attacks and comprehensive risk assessment for software supply chain security. This study conducts a systematic literature review to fill this gap. We analyze the most common software supply chain attacks by providing the latest trend of analyzed attacks, and we identify the security risks for open-source and third-party software supply chains. Furthermore, this study introduces unique security controls to mitigate analyzed cyber-attacks and risks by linking them with real-life security incidence and attacks.

Nusrat Zahan,Yasemin Acar,Michel Cukier,William Enck,Christian Kästner,Alexandros Kapravelos,Dominik Wermke,Laurie Williams

2024-08-29

Abstract:Cyber attacks leveraging or targeting the software supply chain, such as the SolarWinds and the Log4j incidents, affected thousands of businesses and their customers, drawing attention from both industry and government stakeholders. To foster open dialogue, facilitate mutual sharing, and discuss shared challenges encountered by stakeholders in securing their software supply chain, researchers from the NSF-supported Secure Software Supply Chain Center (S3C2) organize Secure Supply Chain Summits with stakeholders. This paper summarizes the Industry Secure Supply Chain Summit held on November 16, 2023, which consisted of \panels{} panel discussions with a diverse set of \participants{} practitioners from the industry. The individual panels were framed with open-ended questions and included the topics of Software Bills of Materials (SBOMs), vulnerable dependencies, malicious commits, build and deploy infrastructure, reducing entire classes of vulnerabilities at scale, and supporting a company culture conductive to securing the software supply chain. The goal of this summit was to enable open discussions, mutual sharing, and shedding light on common challenges that industry practitioners with practical experience face when securing their software supply chain.

Cryptography and Security

Greg Tystahl,Yasemin Acar,Michel Cukier,William Enck,Christian Kastner,Alexandros Kapravelos,Dominik Wermke,Laurie Williams

2024-05-15

Abstract:Supply chain security has become a very important vector to consider when defending against adversary attacks. Due to this, more and more developers are keen on improving their supply chains to make them more robust against future threats. On March 7th, 2024 researchers from the Secure Software Supply Chain Center (S3C2) gathered 14 industry leaders, developers and consumers of the open source ecosystem to discuss the state of supply chain security. The goal of the summit is to share insights between companies and developers alike to foster new collaborations and ideas moving forward. Through this meeting, participants were questions on best practices and thoughts how to improve things for the future. In this paper we summarize the responses and discussions of the summit. The panel questions can be found in the appendix.

Cryptography and Security

Piergiorgio Ladisa,Serena Elisa Ponta,Antonino Sabetta,Matias Martinez,Olivier Barais

DOI: https://doi.org/10.48550/arXiv.2304.05200

2023-04-11

Abstract:This work discusses open-source software supply chain attacks and proposes a general taxonomy describing how attackers conduct them. We then provide a list of safeguards to mitigate such attacks. We present our tool "Risk Explorer for Software Supply Chains" to explore such information and we discuss its industrial use-cases.

Cryptography and Security,Software Engineering

Md Jobair Hossain Faruk,Masrura Tasnim,Hossain Shahriar,Maria Valero,Akond Rahman,Fan Wu

DOI: https://doi.org/10.1109/ISSREW55968.2022.00081

2022-01-01

Abstract:Software supply chain attacks occur during the processes of producing software is compromised, resulting in vulnerabilities that target downstream customers. While the number of successful exploits is limited, the impact of these attacks is significant. Despite increased awareness and research into software supply chain attacks, there is limited information available on mitigating or architecting for these risks, and existing information is focused on singular and independent elements of the supply chain. In this paper, we extensively review software supply chain security using software development tools and infrastructure. We investigate the path that attackers find is least resistant followed by adapting and finding the next best way to complete an attack. We also provide a thorough discussion on how common software supply chain attacks can be prevented, preventing malicious hackers from gaining access to an organization's development tools and infrastructure including the development environment. We considered various SSC attacks on stolen code-sign certificates by malicious attackers and prevented unnoticed malware from passing by security scanners. We are aiming to extend our research to contribute to preventing software supply chain attacks by proposing novel techniques and frameworks.

Chinenye Okafor,Taylor R. Schorlemmer,Santiago Torres-Arias,James C. Davis

2024-06-14

Abstract:This paper systematizes knowledge about secure software supply chain patterns. It identifies four stages of a software supply chain attack and proposes three security properties crucial for a secured supply chain: transparency, validity, and separation. The paper describes current security approaches and maps them to the proposed security properties, including research ideas and case studies of supply chains in practice. It discusses the strengths and weaknesses of current approaches relative to known attacks and details the various security frameworks put out to ensure the security of the software supply chain. Finally, the paper highlights potential gaps in actor and operation-centered supply chain security techniques

Cryptography and Security,Software Engineering

Ahmed Akinsola,Abdullah Akinde

DOI: https://doi.org/10.5121/ijsc.2024.15201

2024-07-09

Abstract:This article delves into the strategic approaches and preventive measures necessary to safeguard the software supply chain against evolving threats. It aims to foster an understanding of the challenges and vulnerabilities inherent in software supply chain resilience and to promote transparency and trust in the digital infrastructure that underpins contemporary society. By examining the concept of software supply chain resilience and assessing the current state of supply chain security, the article provides a foundation for discussing strategies and practices that can mitigate security risks and ensure security continuity throughout the development lifecycle. Through this comprehensive analysis, the article contributes to the ongoing effort to strengthen the security posture of software supply chains, thereby ensuring the reliable and secure operation of digital systems in a connected world

Cryptography and Security

Yijun Shen,Xiang Gao,Hailong Sun,Yu Guo

DOI: https://doi.org/10.1007/s10664-024-10581-2

IF: 3.762

2024-11-08

Empirical Software Engineering

Abstract:Due to the dependency relations among software, vulnerabilities in software supply chains (SSC) may cause more serious security threats than independent software systems. This poses new challenges for ensuring software security including the spread of risks and the increase in maintenance costs.

computer science, software engineering

Jeferson Martínez,Javier M. Durán

DOI: https://doi.org/10.18280/ijsse.110505

2021-10-31

International Journal of Safety and Security Engineering

Abstract:Exploitation of a vulnerability that compromised the source code of the Solar Winds’ Orion system, a software that is used widely by different government and industry actors in the world for the administration and monitoring of networks; brought to the fore a type of stealth attack that has been gaining momentum: supply chain attacks. The main problem in the violation of the software supply chain is that, from 85% to 97% of the code currently used in the software development industry comes from the reuse of open source code frameworks, repositories of third-party software and APIs, creating potential vulnerabilities in the development cycle of a software product. This research analyzes the SolarWinds case study from an exploratory review of academic literature, government information, but also from the articles and reports that are published by different cybersecurity consulting firms and software providers. Then, a set of good practices is proposed such as: Zero trust, Multi-Factor authentication mechanisms (MFA), strategies such as SBOM and the recommendations of the CISA guide to defend against this type of attack. Finally, the research discusses about how to improve response times and prevention against this type of attacks, also future research related to the subject is suggested, such as the application of Machine Learning and Blockchain technologies. Additionally for risk reduction, in addition to the management and articulation of IT teams that participate in all the actors that are part of the software life cycle under a DevSecOps approach.

Olubunmi Adeolu Adenekan,Chinedu Ezeigweneme,Excel Great Chukwurah

DOI: https://doi.org/10.51594/ijmer.v6i5.1125

2024-05-12

International Journal of Management & Entrepreneurship Research

Abstract:This review paper explores the multifaceted realm of cybersecurity within IT supply chains, addressing the intricate challenges posed by digital vulnerabilities, high-profile cyber incidents, and emerging threats. It highlights the criticality of continuous risk assessment, the implementation of international security standards, and the necessity for enhanced management of third-party vendors. The paper also delves into advanced technological solutions like blockchain, AI, and machine learning for bolstering security, advocating for best practices including the zero-trust model, regular employee training, and secure software development. Emphasizing a proactive over a reactive approach, the paper underscores the evolving nature of cyber threats and the imperative for adaptive strategies. It calls for concerted efforts from businesses, policymakers, and IT professionals to prioritize and continuously refine cybersecurity measures in safeguarding IT supply chains against future threats. Keywords: IT Supply Chain, Cybersecurity, Risk Management, Blockchain, Zero-Trust Model, Artificial Intelligence.

Beatriz M. Reichert,Rafael R. Obelheiro

DOI: https://doi.org/10.1080/1206212x.2024.2390978

2024-08-21

International Journal of Computers and Applications

Abstract:In recent years, software supply chain security has attracted significant research attention. This research subject is concerned both with the security of infrastructures used to build software and deliver it to end users and with the security of software that contains external dependencies such as third-party packages and libraries, and its chief goal is to ensure that no vulnerabilities are introduced in the path between developers and users. This paper presents a Systematic Literature Review to identify knowledge gaps in software supply chain security. For this, we considered studies published between 2012 and 2023 in the search engines of IEEE Xplore, ACM Digital Library, Engineering Village, Scopus, and arXiv. Of the 2051 studies obtained in the primary survey, only 85 are relevant for this research. Analyzing the studies, we observed gaps such as little discussion of software supply chains that involve cloud components, few proposals focused on the software distribution process, and a lack of use of threat modeling frameworks to help identify threats to the supply chain and validate the results.

Nusrat Zahan

DOI: https://doi.org/10.1109/ICSE-Companion58688.2023.00068

2023-05-01

Abstract:Sonatype has recorded an average 700% jump in software supply chain attacks [1], measured by the number of newly-published malicious packages in open-source repositories. The 2022 Synopsys report [2] assessed the reliance of the software industry on open-source software (OSS), and estimated that 97% of applications use OSS and 78% of the code comes from OSS. Practitioners did not anticipate how the software supply chain would become a deliberate attack vector and how the risk of the software supply chain would keep growing. Practitioners are more aware of the supply chain risks and want to know how to detect the implementation of package security practices and the security risk so they can make informed decisions to select dependencies for their projects. The goal of this research is to aid practitioners in producing more secure software products that are resistant to supply chain attacks through the identification and evaluation of actionable security metrics to detect risky components in the dependency graph. To achieve this goal, the thesis presents research on software security metrics evaluation in different ecosystems by leveraging software security frameworks, malicious attack vectors, and the OpenSSF Scorecard project to detect the implementation of secure practices and their significance to security outcomes.

Computer Science,Business,Engineering

Shengyi Pan,Lingfeng Bao,Jiayuan Zhou,Xing Hu,Xin Xia,Shanping Li

DOI: https://doi.org/10.1145/3663529.3663835

2024-01-01

Abstract:Today’s software industry heavily relies on open source software (OSS). However, the rapidly increasing number of OSS software vulnerabilities (SVs) poses huge security risks to the software supply chain. Managing the SVs in the relied OSS components has become a critical concern for software vendors. Due to the limited resources in practice, an essential focus for the vendors is to locate and prioritize the remediation of critical SVs (CSVs), i.e., those tend to cause huge losses. Particularly, in the software industry, vendors are obliged to comply with the security service level agreement (SLA), which mandates the fix of CSVs within a short time frame (e.g., 15 days). However, to the best of our knowledge, there is no empirical study that specifically investigates CSVs. The existing works only target at general SVs, missing a view of the unique characteristics of CSVs. In this paper, we investigate the distributions (from temporal, type, and repository dimension) and the current remediation practice of CSVs in the OSS ecosystem, especially their differences compared with non-critical SVs (NCSVs). We adopt the industry standard to refer SVs with a 9+ Common Vulnerability Scoring System (CVSS) score as CSVs and others as NCSVs. We collect a large-scale dataset containing 14,867 SVs and artifacts associated with their remediation (e.g., issue report, commit) across 4,462 GitHub repositories. Our findings regarding CSV distributions can help practitioners better locate these hot spots. Regarding the remediation practice, we observe that though CSVs receive higher priorities, some practices (e.g., complicated review and testing pro-cess) may unintentionally cause the delay to their fixes. We also point out the risks of SV information leakage during remediation process, which could leave a window-of-opportunity of over 30 days on median for zero-day attacks. Based on our findings, we provide implications to improve the current CSV remediation practice.

Vikas Hassija,Vinay Chamola,Vatsal Gupta,Sarthak Jain,Nadra Guizani

DOI: https://doi.org/10.1109/jiot.2020.3025775

IF: 10.6

2021-04-15

IEEE Internet of Things Journal

Abstract:The rapid improvement in the global connectivity standards has escalated the level of trade taking place among different parties. Advanced communication standards are allowing the trade of all types of commodities and services. Furthermore, the goods and services developed in a particular region are transcending boundaries to enter into foreign markets. Supply chains play an essential role in the trade of these goods. To be able to realize a connected world with no boundary restrictions in terms of goods and services, it is imperative to keep the associated supply chains transparent, secure, and trustworthy. Therefore, some fundamental changes in the current supply chain architecture are essential to achieve a secure trade environment. This article discusses the supply chain's security-critical application areas and presents a detailed survey of the security issues in the existing supply chain architecture. Various emerging technologies, such as blockchain, machine learning (ML), and physically unclonable functions (PUFs) as solutions to the vulnerabilities in the existing infrastructure of the supply chain have also been discussed. Recent studies reviewed in this work reveal a growing sentiment in the industry toward new and emerging technologies, such as Internet of Things (IoT), blockchain, and ML. While many organizations have already adopted IoT applications and artificial intelligence systems in their businesses, widespread adoption of blockchain remains distant. It has also been found that over the past decade, PUF-based authentication systems have gained much ground. However, a proper reference model for their implementation in complex supply chains is still missing.

computer science, information systems,telecommunications,engineering, electrical & electronic

Luıs Soeiro,Thomas Robert,Stefano Zacchiroli

2023-11-20

Abstract:The use of free and open source software (FOSS) components in all software systems is estimated to be above 90%. With such high usage and because of the heterogeneity of FOSS tools, repositories, developers and ecosystem, the level of complexity of managing software development has also increased. This has amplified both the attack surface for malicious actors and the difficulty of making sure that the software products are free from threats. The rise of security incidents involving high profile attacks is evidence that there is still much to be done to safeguard software products and the FOSS supply chain. Software Composition Analysis (SCA) tools and the study of attack trees help with improving security. However, they still lack the ability to comprehensively address how interactions within the software supply chain may impact security. This work presents a novel approach of assessing threat levels in FOSS supply chains with the log model. This model provides information capture and threat propagation analysis that not only account for security risks that may be caused by attacks and the usage of vulnerable software, but also how they interact with the other elements to affect the threat level for any element in the model.

Cryptography and Security

Kelechi G. Kalu,Tanya Singla,Chinenye Okafor,Santiago Torres-Arias,James C. Davis

2024-06-12

Abstract:Many software products are composed by the recursive integration of components from other teams or external parties. Each additional link in a software product's supply chain increases the risk of the injection of malicious behavior. To improve supply chain provenance, many cybersecurity frameworks, standards, and regulations recommend the use of software signing. However, recent surveys and measurement studies have found that the adoption rate and quality of software signatures are low. These findings raise questions about the practical application of software signing, the human factors influencing its adoption, and the challenges faced during its implementation. We lack in-depth industry perspectives on the challenges and practices of software signing. To understand software signing in practice, we interviewed 18 high-ranking industry practitioners across 13 organizations. We provide possible impacts of experienced software supply chain failures, security standards, and regulations on software signing adoption. We also study the challenges that affect an effective software signing implementation. To summarize our findings: (1) We present a refined model of the software supply chain factory model highlighting practitioner's signing practices; (2) We highlight the different challenges -- Technical, Organizational, and Human -- that hamper software signing implementation; (3) We report that expert subjects disagree on the importance of signing; (4) We describe how failure incidents and industry standards affect the adoption of software signing and other security techniques. Our findings contribute to the understanding of software supply chain security by highlighting the impact of human and organizational factors on Software Supply Chain risks and providing nuanced insights for effectively implementing Software Supply Chain security controls -- towards Software signing in practice.

Software Engineering,Cryptography and Security