Securing the Software Package Supply Chain for Critical Systems using Permissioned Blockchains
Software systems have grown as an indispensable commodity used across various industries, and almost all essential services depend on them for effective operation. The software is no longer an independent or stand-alone piece of code written by a developer but rather a collection of packages designed by multiple developers across the globe. The secure usage of software modules and add-ons requires a robust and reliable package distribution architecture for developing highly customized software. The number of reported threats and affected packages have been continuously increasing, thereby endangering essential services. This paper augments the existing software package delivery framework with additional checks and balances to identify and report vulnerabilities. This is achieved through the means of implementing a permissioned ledger leveraging Proof of Authority consensus and multi-party signatures. The system aims to prevent attacks while permitting every stakeholder to verify the same. Critical systems can interface with the secure pipeline without disrupting existing functionalities, thus preventing the cascading effect of an attack at any point in the supply chain.