Navigating Software Supply Chain Risks: Practitioner Perspectives on Software Signing
Primary Investigator:
Jamie Davis
Kelechi G. Kalu, James C. Davis
Abstract
In today’s interconnected software landscape, safeguarding the integrity of software supply chains has become imperative. Software Engineers have witnessed a concerning
surge in software supply chain attacks despite the development of various methods, tools, standards, and guidelines to mitigate these
attacks. Current literature, regulations, and security frameworks
recommend some security baselines, chief amongst them is Software Signing. While software supply chain attack incidences
continue to increase, current literature on the software supply chain focuses on both the identification of risk factors and potential attack vectors in Open-source software artifacts, as well as the development of security methods to mitigate these risks. However, we lack an understanding of how Software
Supply Chain risks are perceived by practitioners and how proposed security methods, such as Software Signing contribute and are implemented to mitigate them. This knowledge gap poses significant concerns since it may result in inadequate risk management strategies as proposed by regulations (and standards)and inadequate design considerations of these security methods and tools. This potentially exposes software ecosystems and organizations to serious vulnerabilities and security threats.
This study conducts a qualitative analysis of software supply chain risks as perceived by practitioners. Additionally, we also investigate the contribution and importance of Software
Supply Chain methods contribute to mitigating these risks. Specifically, we conduct a case study on Software Signing as a widely recommended Software Software Supply Chain method. We conducted interviews with 18 practitioners representing 11 organizations to understand how Software Signing in mitigating
Software Supply Chain attacks. From our data, we identify Software Supply Chain risks highlighted by practitioners, the importance attached to Software Supply Chain security methods like Software Signing in the Software Engineering Process of various teams, and reasons why certain Software Signing
implementations are preferred over others by practitioners. Our findings aim to contribute to the understanding of software supply chain security by highlighting the impact of human factors on Software Supply Chain risks and providing nuanced insights for effectively implementing Software Supply Chain security
methods in practice.