Software Supply Chain Risk: Characterization, Measurement & Attenuation
With the accelerating adoption of open source software, and an ever-growing body of case studies of security vulnerabilities being introduced by said open source software (Log4J arbitrary code execution, OpenSSH backdoor by way of XZ-utils, and the Polyfill CDN take over), the need for supply chain...
Gespeichert in:
| Veröffentlicht in: | IEEE/ACM International Conference on Automated Software Engineering : [proceedings] S. 2506 - 2509 |
|---|---|
| 1. Verfasser: | |
| Format: | Tagungsbericht |
| Sprache: | Englisch |
| Veröffentlicht: |
ACM
27.10.2024
|
| Schlagworte: | |
| ISSN: | 2643-1572 |
| Online-Zugang: | Volltext |
| Tags: |
Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
|
| Abstract | With the accelerating adoption of open source software, and an ever-growing body of case studies of security vulnerabilities being introduced by said open source software (Log4J arbitrary code execution, OpenSSH backdoor by way of XZ-utils, and the Polyfill CDN take over), the need for supply chain observability has become increasingly urgent. This need has been acknowledged by both industry and government, with calls to enforce the adoption of Software Bills of Materials (SBOMs).Current software security metrology efforts focus on individual packages within an ecosystem, with very little work exploring how security risk propagates through dependency networks. This research proposal sets out a number of research objectives and proposed approaches that when combined look to develop metrics that better align with the needs of software engineering practitioners, and further the understanding of the role of dependency networks in the propagation of risk within open source software. |
|---|---|
| AbstractList | With the accelerating adoption of open source software, and an ever-growing body of case studies of security vulnerabilities being introduced by said open source software (Log4J arbitrary code execution, OpenSSH backdoor by way of XZ-utils, and the Polyfill CDN take over), the need for supply chain observability has become increasingly urgent. This need has been acknowledged by both industry and government, with calls to enforce the adoption of Software Bills of Materials (SBOMs).Current software security metrology efforts focus on individual packages within an ecosystem, with very little work exploring how security risk propagates through dependency networks. This research proposal sets out a number of research objectives and proposed approaches that when combined look to develop metrics that better align with the needs of software engineering practitioners, and further the understanding of the role of dependency networks in the propagation of risk within open source software. |
| Author | Butler, Alexis |
| Author_xml | – sequence: 1 givenname: Alexis surname: Butler fullname: Butler, Alexis email: alexis.butler.2023@live.rhul.ac.uk organization: Royal Holloway University of London,London,United Kingdom |
| BookMark | eNotjktLw0AURkdRsNas3bjIypWp8364K0GrUBGsrsud9AYH2yRMJpT6642P1Tnwwcc5JydN2yAhl4zOGJPqVmjHNKezkUpTe0QyZ5yVlBrGpTXHZMK1FAVThp-RrO-Dp6MqzZiekMWqrdMeIuaroeu2h7z8gNDkr6H_vPvxCFXCGL4ghba5yZ8R-iHiDpuUX-fzlLAZfqcLclrDtsfsn1Py_nD_Vj4Wy5fFUzlfFjC2pIK5WjkvtLVjoDK6ct4qDiCktxsuDXhnKg0OURocUYm64h6k5xvvgToxJVd_vwER110MO4iHNaNGSyul-AZx_U6E |
| CODEN | IEEPAD |
| ContentType | Conference Proceeding |
| DBID | 6IE 6IL CBEJK RIE RIL |
| DOI | 10.1145/3691620.3695608 |
| DatabaseName | IEEE Electronic Library (IEL) Conference Proceedings IEEE Xplore POP ALL IEEE Xplore All Conference Proceedings IEEE Electronic Library (IEL) IEEE Proceedings Order Plans (POP All) 1998-Present |
| DatabaseTitleList | |
| Database_xml | – sequence: 1 dbid: RIE name: IEEE Electronic Library (IEL) url: https://ieeexplore.ieee.org/ sourceTypes: Publisher |
| DeliveryMethod | fulltext_linktorsrc |
| Discipline | Computer Science |
| EISBN | 9798400712487 |
| EISSN | 2643-1572 |
| EndPage | 2509 |
| ExternalDocumentID | 10764844 |
| Genre | orig-research |
| GroupedDBID | 6IE 6IF 6IH 6IK 6IL 6IM 6IN 6J9 AAJGR AAWTH ABLEC ACREN ADYOE ADZIZ AFYQB ALMA_UNASSIGNED_HOLDINGS AMTXH BEFXN BFFAM BGNUA BKEBE BPEOZ CBEJK CHZPO IEGSK IPLJI M43 OCL RIE RIL |
| ID | FETCH-LOGICAL-a248t-19f59b3688840576c9b852aa34b8d247ab97c6a9ee47ea9ec3fc2ba4b2dbba093 |
| IEDL.DBID | RIE |
| ISICitedReferencesCount | 0 |
| ISICitedReferencesURI | http://www.webofscience.com/api/gateway?GWVersion=2&SrcApp=Summon&SrcAuth=ProQuest&DestLinkType=CitingArticles&DestApp=WOS_CPL&KeyUT=001353105400263&url=https%3A%2F%2Fcvtisr.summon.serialssolutions.com%2F%23%21%2Fsearch%3Fho%3Df%26include.ft.matches%3Dt%26l%3Dnull%26q%3D |
| IngestDate | Wed Jan 15 06:20:43 EST 2025 |
| IsPeerReviewed | false |
| IsScholarly | true |
| Language | English |
| LinkModel | DirectLink |
| MergedId | FETCHMERGED-LOGICAL-a248t-19f59b3688840576c9b852aa34b8d247ab97c6a9ee47ea9ec3fc2ba4b2dbba093 |
| PageCount | 4 |
| ParticipantIDs | ieee_primary_10764844 |
| PublicationCentury | 2000 |
| PublicationDate | 2024-Oct.-27 |
| PublicationDateYYYYMMDD | 2024-10-27 |
| PublicationDate_xml | – month: 10 year: 2024 text: 2024-Oct.-27 day: 27 |
| PublicationDecade | 2020 |
| PublicationTitle | IEEE/ACM International Conference on Automated Software Engineering : [proceedings] |
| PublicationTitleAbbrev | ASE |
| PublicationYear | 2024 |
| Publisher | ACM |
| Publisher_xml | – name: ACM |
| SSID | ssib057256116 ssj0051577 |
| Score | 2.2722008 |
| Snippet | With the accelerating adoption of open source software, and an ever-growing body of case studies of security vulnerabilities being introduced by said open... |
| SourceID | ieee |
| SourceType | Publisher |
| StartPage | 2506 |
| SubjectTerms | Attenuation measurement Industries Metrology Observability Open source software Proposals Security Software engineering Software measurement Supply chains |
| Title | Software Supply Chain Risk: Characterization, Measurement & Attenuation |
| URI | https://ieeexplore.ieee.org/document/10764844 |
| WOSCitedRecordID | wos001353105400263&url=https%3A%2F%2Fcvtisr.summon.serialssolutions.com%2F%23%21%2Fsearch%3Fho%3Df%26include.ft.matches%3Dt%26l%3Dnull%26q%3D |
| hasFullText | 1 |
| inHoldings | 1 |
| isFullTextHit | |
| isPrint | |
| link | http://cvtisr.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwlV07T8MwELZoxcBUHkW85QExEUicix9sqKKwUFU8pG6V7VxFhdRWbQri33NOUioGBqZYyWLfxfd95-S7Y-w8RoIZcBDF0mMEIy8ig0Ergw6UHQE9grLZhOr19GBg-rVYvdTCIGL58xlehWH5LT-f-mU4KqMdriRogAZrKCUrsdbq5ckUgXcSuE4Vhgmnlapr-SSQXaeSiJCgHFWGjED_aqZSYkm39c9ZbLP2WpXH-z94s8M2cLLLWqu2DLzepXvs_plC66edIy9bdn7xzhul__xpvHi_CeO6QHOlv7zkj-tTQn7Bbwsi0VX57zZ77d69dB6iul9CZAXoIkrMKDMulZTUBhomvXE6E9am4HQuyPTOKC-tQQSFdPEpucZZcCJ3zsYm3WfNyXSCB4xbJGfRKjEkjJhaiz4XMbErxEQ7mx2ydjDMcFaVxBiubHL0x_1jtiWIDYSgL9QJaxbzJZ6yTf9RjBfzs9KR33IKntI |
| linkProvider | IEEE |
| linkToHtml | http://cvtisr.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwlV09T8MwELWgIMFUPor4xgNiIpA4lzhmQxWliLaqoEjdKtu9igopRW0K4t9zTlIqBgamWMmS3MV-75y8e4yd-0gwAwY8P7bowcgKT6HTyqABqUdAlyA3m5CdTtLvq24pVs-1MIiY_3yGV26Yf8sfTuzcbZXRDJcxJACrbC0CEH4h11q8PpEk-A4c2ykWYkJqKctuPgFE12FMVEhQlRq7miD5ZaeSo0mj-s_72GK1pS6Pd38QZ5utYLrDqgtjBl7O0112_0yL66eeIs9NO794_VWPU_40nr3duHHZorlQYF7y9nKfkF_w24xodNEAvMZeGne9etMrHRM8LSDJvECNImXCmMpaR8Riq0wSCa1DMMlQUPCNkjbWChEk0sGGlByjwYihMdpX4R6rpJMU9xnXSOmip0RXMmKoNdqh8IlfIQaJ0dEBq7nADN6LphiDRUwO_zh_xjaavXZr0HroPB6xTUHcwEGAkMeskk3neMLW7Uc2nk1P86R-A-TJohk |
| openUrl | ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&rfr_id=info%3Asid%2Fsummon.serialssolutions.com&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=proceeding&rft.title=IEEE%2FACM+International+Conference+on+Automated+Software+Engineering+%3A+%5Bproceedings%5D&rft.atitle=Software+Supply+Chain+Risk%3A+Characterization%2C+Measurement+%26+Attenuation&rft.au=Butler%2C+Alexis&rft.date=2024-10-27&rft.pub=ACM&rft.eissn=2643-1572&rft.spage=2506&rft.epage=2509&rft_id=info:doi/10.1145%2F3691620.3695608&rft.externalDocID=10764844 |