Software Supply Chain Risk: Characterization, Measurement & Attenuation

With the accelerating adoption of open source software, and an ever-growing body of case studies of security vulnerabilities being introduced by said open source software (Log4J arbitrary code execution, OpenSSH backdoor by way of XZ-utils, and the Polyfill CDN take over), the need for supply chain...

Celý popis

Uložené v:
Podrobná bibliografia
Vydané v:IEEE/ACM International Conference on Automated Software Engineering : [proceedings] s. 2506 - 2509
Hlavný autor: Butler, Alexis
Médium: Konferenčný príspevok..
Jazyk:English
Vydavateľské údaje: ACM 27.10.2024
Predmet:
Attenuation measurement
Industries
Metrology
Observability
Open source software
Proposals
Security
Software engineering
Software measurement
Supply chains
ISSN:2643-1572
On-line prístup:Získať plný text
Tagy: Pridať tag
Žiadne tagy, Buďte prvý, kto otaguje tento záznam!
Popis
Shrnutí:With the accelerating adoption of open source software, and an ever-growing body of case studies of security vulnerabilities being introduced by said open source software (Log4J arbitrary code execution, OpenSSH backdoor by way of XZ-utils, and the Polyfill CDN take over), the need for supply chain observability has become increasingly urgent. This need has been acknowledged by both industry and government, with calls to enforce the adoption of Software Bills of Materials (SBOMs).Current software security metrology efforts focus on individual packages within an ecosystem, with very little work exploring how security risk propagates through dependency networks. This research proposal sets out a number of research objectives and proposed approaches that when combined look to develop metrics that better align with the needs of software engineering practitioners, and further the understanding of the role of dependency networks in the propagation of risk within open source software.
ISSN:2643-1572
DOI:10.1145/3691620.3695608