As reported by Purdue University News, two Purdue researchers are taking aim at the growing surge of supply chain attacks directed at third-party software.
Sabine Brunswicker, a professor in Purdue Polytechnic’s Department of Technology, Leadership and Innovation, is collaborating with Santiago Torres-Arias, an assistant professor of electrical and computer engineering, to better understand the way the software supply chains are structured to develop solutions for combating cybersecurity attacks that emerge from the use of open-source software.
As new technology becomes more and more advanced, many companies have come to rely on software suites that can be heavily and easily modified to fit the needs of computer scientists. To this end, open-source software is now commonly used in tech companies. The community of developers who help update and modify open-source software for free grant companies the freedom and modularity they need.
“It is undeniable that software supply chain security requires immediate and bold action to protect software — and hardware — users everywhere,” said Brunswicker, who has joint appointments in Purdue Polytechnic and the College of Liberal Arts. “As opposed to the clear visibility of compromises after the fact, however, there is very little existing work in understanding and modeling the way the software supply chains themselves are structured.
“Today, we lack the proper models and tools to measure and predict the risk for software vulnerabilities that emerge from reusing software technologies and development environments across multiple technical and institutional boundaries.”
Sahithi Kasim, a graduate student working on the project known as GUAC-alytics with Brunswicker, explained that the freedom of open-source software also means that it is less secure.
“Software packages have these things called direct dependencies and indirect dependencies. Basically every indirect dependency is a spot where the software relies on a third-party resource to fulfill a request. Each one of those dependencies is a potential vulnerability where a weak point in the third-party resource could be exploited,” said Kasim.
Google has allotted grant funding to this project, and the team’s ultimate goal is to deliver tools not only to develop tools to assess risk levels for individual software components, but also to build a public platform to allow companies to discover and mitigate risk within their own software supply chain.
Brunswicker and Torres-Arias are actively seeking doctoral, postdoctoral and even undergraduate students to join their team for this effort. The interdisciplinary project integrates knowledge and theories for software engineering, cybersecurity, computational and network science, artificial intelligence/machine language and social sciences.
The team has good reason to think that this mission will be a growing concern in the years to come. In a major cybersecurity wakeup call, attackers in December 2020 added malware to signed versions of SolarWinds’ (an influential IT company) supplier software, which then infiltrated 18,000 government and private organizations.
Read more at Purdue University News.
Additional information
- Software supply chain security risks are here: Are we equipped to act accordingly? (Purdue News)
- GUAC-alytics: Increasing transparency and security of open source supply-chains (Research Center for Open Digital Innovation)
- Sahithi Kasim at RCODI
- SolarWinds hack explained (techtarget.com)