Growing Risks in the Software Supply Chain
Mark Sherman
Carnegie Mellon University
Today’s software is largely assembled rather than written, and most of the assembly comes from open source components. The creation of components and their inclusion into applications creates a “supply chain” just like in conventional manufacturing. While physical supply chains have well established chains-of-custody to establish properties like refrigeration maintenance, authenticity or spoilage avoidance, the software supply chain is very much a wild, wild west, filled with vulnerabilities that can be (and are) inadvertently inserted into applications.
As supply chain risk and mitigations are being explored by government and academia, a larger attack surface is being uncovered that needs to be addressed. This presentation describes the parts of the software supply chain, how vulnerabilities have been introduced, the growing attack surface from new methods of building and distributing software, and the actions that developers can employ to avoid or mitigate the risks inherent in an assembly-based software development strategy.
|
|
|
| ▭ | Slides |
Resources
- Forum of Incident Response and Security Teams (FIRST) — CVSS v4.0
- NTIA, Software Component Transparency — SBOM Survey (2019)
- NIST, Risk Management Framework 2.0 (2018)
- ATOS, Method of Qualification and Selection of Open Source software (QSOS) (2013)
- FinServ ISAC, Appropriate Software Security Control Types for Third Party Service and Product Providers (2013)
- TAXII, STIX and CybOX
References
- Sonatype, State of the Software Supply Chain (2019)
- Graham, Software Bill of Materials (SBoM) - Does It Work for DevSecOps? (2019)
- Alberts et al, Assessing DoD System Acquisition Supply Chain Risk Management (2017)
- Axelrod, Malware, Weakware and the Security of Software Supply Chains (2014)
- Christey & Martin, Buying Into the Bias: Why Vulnerability Statistics Suck: slides · video (Blackhat 2013)
- Clark et al, Familiarity Breeds Contempt: The Honeymoon Effect and the Role of Legacy Code in Zero-Day Vulnerabilities (2010)