Securing Software Supply Chains: A Case for New Research in Software Security?

By Achim D. Brucker.

Today, Software is rarely developed "on the green field": software developers are ``composers” that build new system by combining existing solutions. Custom code is, in many development projects, a curiosity.

As a result, modern software depends on numerous third-party projects, which, sometimes, are as small as three lines of code or as large as several millions lines of code. On the one hand, these projects speed up the development. On the other hand, their use requires trust and care: with a few lines of code in an installation script, your development system can be attacked or a small vulnerability in a dependency can be the root cause of one of the largest data leaks of the last years.

In this talk, I will argue that the mature tools and techniques for developing secure software do not work well in an environment where software is composed instead of developed. By using real world examples of third-party components, I will make the case that research in secure software engineering needs to re-prioritize topics to be fit for a world of software composition.

Please cite this work as follows:
A. D. Brucker, “Securing software supply chains: A case for new research in software security?” presented at the Workshop on secure software engineering (SSE 2019), Kent, UK, Aug. 28, 2019. Invited Keynote.. Author copy: https://logicalhacking.com/publications/talk-brucker-sw-supply-chain-research-2019/

BibTeX
@Unpublished{ talk:brucker:sw-supply-chain-research:2019,
  author     = {Achim D. Brucker},
  date       = {2019-08-28},
  title      = {Securing Software Supply Chains: A Case for New Research in
                Software Security?},
  abstract   = {Today, Software is rarely developed "on the green field":
                software developers are ``composers'' that build new system by
                combining existing solutions. Custom code is, in many
                development projects, a curiosity.
                
                As a result, modern software depends on numerous third-party
                projects, which, sometimes, are as small as three lines of
                code or as large as several millions lines of code. On the one
                hand, these projects speed up the development. On the other
                hand, their use requires trust and care: with a few lines of
                code in an installation script, your development system can be
                attacked or a small vulnerability in a dependency can be the
                root cause of one of the largest data leaks of the last years.
                
                In this talk, I will argue that the mature tools and
                techniques for developing secure software do not work well in
                an environment where software is composed instead of
                developed. By using real world examples of third-party
                components, I will make the case that research in secure
                software engineering needs to re-prioritize topics to be fit
                for a world of software composition.},
  eventtitle = {Workshop on Secure Software Engineering (SSE 2019)},
  venue      = {Kent, UK},
  note       = {Invited Keynote.. 
                Author copy: \url{https://logicalhacking.com/publications/talk-brucker-sw-supply-chain-research-2019/}},
  areas      = {software, security},
  pdf        = {https://logicalhacking.com/publications/talk-brucker-sw-supply-chain-research-2019/talk-brucker-sw-supply-chain-research-2019.pdf},
}