Developing New Mechanisms to Enable Open Source Software (OSS) Supply Chain Transparency

Principal Investigator: Sabine Brunswicker

Open source software (OSS) has significantly increased the complexity of the software supply chain in terms of source code development, building and packaging, re-configuration and re-packaging (for instance, containerizing), and deployment. Nowadays, practically every software developer reuses and integrates packages from openly accessible OSS products when moving through this chain. Significant benefits include reduced development times and lower costs when reusing OSS packages. However, OSS supply chains risk malicious code deployment, attacks on source code repositories, and unsuccessful packaging procedures. In fact, according to the most recent Symantec Internet Security Threat Reports, the complexity of the OSS-dependent software supply chains has led to a cumulative increase in compromised software products of 750%. The technological and organizational dependency across various products and factors grows as more and more open-source software packages are reused and repackaged throughout supply chains. OSS supply chain interdependencies and the risk they pose are highly opaque, even though transparency is the core value of OSS development. Furthermore, the existing infrastructure does not disclose the risks' sources and consequences for other players in the OSS supply chain ecosystem.

In order to mitigate attacks of this nature, this project focuses on developing data science mechanisms to detect and prevent software supply chain attacks. This requires us to identify various data sources as well as their relationships to better understand threat indicators, the supply chain's vulnerable surface and the behavioral patterns trying to exploit these.

Personnel

Other PIs: Santiago Torres

Students: Sahithi Kasim

Keywords: data science, risk assessment, supply chain security