On securing software supply chains and mitigating attacks

RCODI Press Release: On securing software supply chains and mitigating attacks

A growing force of study on software supply chains is occurring at Purdue University thanks to the collaboration between Dr. Sabine Brunswicker and Dr. Santiago Torres-Arias. While exploring for better understanding of these software structures, the GUAC-ALYTICS study aims to combat cybersecurity attacks introducing risks to a majority of companies that are utilizing open-source software (OSS). The rising challenges and holistic approaches when taking on this under-resourced topic are carefully documented through this Purdue Today article.

About GUAC-ALYTICS

GUAC-ALYTICS focuses on increasing transparency and security of these OSS supply chains, which is originated from the GUAC project (Graph for Understanding Artifact Composition from Google and Kusari. With the use of theories and models of network science and machine learning, preliminary results have emphasized systems that can determine potential risks and suggest effective risk management methods. Not only that, future work of this program aims to discover different and better approaches to overcome the aforementioned problem. You can view the on-going study here: GUAC-ALYTICS

The importance of this study

A supply chain attack is a breach and compromise of goods, services, or technology supplied by a vendor to a customer, which introduces a risk to a customer base; while the risk to an organization varies – the prevalence of these attacks has prompted the development of process to improve security stances of software providers. A Gartner Inc study predicts that approximately 45% of global organizations will experience a software supply chain attack by 2025; and more recently in 2020 – attackers added malware to signed versions of SolarWinds; supplier software, which in turn was used to infiltrate 18,000 government and private organizations of varying sizes. As open-source tools and software compose a significant incorporation in the software lifecycle, Dr. Brunswicker and Dr. Santiago suggest that corporations must prioritize securing their implementations of open-source software within their technology stack using a holistic approach to address the challenges involved with this process. Driven by the need to explore this issue and to do something about mitigating the risks involved in the complex nature of software supply chains - the study aims to focus on key factors to address this problem:

• Designing a graph-based model for the prediction of risk and vulnerabilities that represents overall relationships between products, packages, developers, users, organizations, and jurisdiction.
• Developing tools to mine chain data in real time to further develop and supplement models that quantify and predict software supply chain risks.
• Building an open-source platform that integrates tools that assist in informing and enabling early warning and action with the intent of mitigating risks and prevent future attacks.

A chance to contribute!

Dr. Brunswicker and Dr. Torres-Arias are looking for motivated students in doctoral, postdoctoral, and even undergraduate standing to join this effort!