Software Supply Chain Attacks
Reviewed by Greg Wilson / 2023-04-14
Keywords: Open Source, Security
This new paper about attacks on open source software supply chains succeeds on two fronts. First, the topic itself is timely and interesting: the number of attacks via package builds and repositories is increasing rapidly, so conscientious software developers need at least a basic understanding of the risk and how to mitigate it.
Second, this paper is an excellent model of what software engineering research could be. The authors have built a tool to help people explore risks in software supply chains and put it online at https://sap.github.io/risk-explorer-for-software-supply-chains/; the source code is available as well, which makes this work far more accessible than most of what we review. In particular, the readability of the paper and the availability of the tool makes it easy to incorporate this work into undergraduate classes and workplace training seminars so that it doesn't stay trapped in a PDF.
Piergiorgio Ladisa, Serena Elisa Ponta, Antonino Sabetta, Matias Martinez, and Olivier Barais. Journey to the center of software supply chain attacks. 2023. arXiv:2304.05200.
This work discusses open-source software supply chain attacks and proposes a general taxonomy describing how attackers conduct them. We then provide a list of safeguards to mitigate such attacks. We present our tool "Risk Explorer for Software Supply Chains" to explore such information and we discuss its industrial use-cases.