Almost two-thirds (61%) of U.S. businesses were directly impacted by a software supply chain attack in the 12-month period ending in April 2023
BELIEVING
“Free and Open Source Software (FOSS) constitutes 70-90% of any given piece of modern software solutions.” -- (OpenSSF) 80 (2022)
Developers are challenged with several conflicting priorities, so security is not always top of mind.
Seventy percent of security and IT leaders believe that software supply chain attacks are their biggest security blind spot. --Venafi
As Sonatype dissects the intricacies of open source adoption and consumption, they validate a frustrating truth—development practices remain rife with inconsistency. When choices are made poorly, this inconsistency translates into increased risks, discontent among developers, and, perhaps most significantly, a loss of both time and money. This year sonatype found:
- 1 in 8 open source downloads have known risk.
- 245,000 malicious packages discovered — 2X all previous years combined
- 18.6% of open source projects across Java and JavaScript that were maintained in 2022, are no longer maintained today
- 96% of vulnerable downloaded releases had a fixed version available
- 10 superior versions of components are typically available for every nonoptimal component upgrade made
Let's build a trusted digital society together.
Leveraging Software Heritage to Enhance Cybersecurity
Towards an infrastructure for large scale software security Our objective is to explore several of the new possibilities offered by the availability of Software Heritage to blend to- gether the “vertical” and “horizontal” approaches to software supply chain security.
Software Heritage
Extend and improve the SWH infrastructure, with functionalities of interest to support its interaction with tools for vulnerability detection
Software security analysis at scale
Identification of vulnerabilities in a project
Tracing impact of vulnerabilities
Identification of dependencies in order to identify risks and manage the impact of change
Open source developer assistance
Automatic correction of vulnerabilities
Some publications on the topic
We found them relevant to read
P. Ladisa, S. Ponta, A. Sabetta, M. Martinez and O. Barais, "Journey to the Center of Software Supply Chain Attacks" in IEEE Security & Privacy, vol. 21, no. 06, pp. 34-49, 2023. doi: 10.1109/MSEC.2023.3302066
Chris Lamb, Stefano Zacchiroli. Reproducible Builds: Increasing the Integrity of Software Supply Chains. In IEEE Software, volume 39, issue 2, pp. 62-70. ISSN 0740-7459, IEEE Computer Society. 2022.
Roberto Di Cosmo and Stefano Zacchiroli. The Software Heritage Open Science Ecosystem, pages 33--61. Springer International Publishing, Cham, 2023.
Roberto Di Cosmo. Construire le pilier logiciel de la Science Ouverte. In Open Science European Conferencem (OSEC 2022), pages 183--193. OpenEdition Press, 2022.
Coccinelle: 10 years of automated evolution in the Linux kernel - J Lawall, G Muller - 2018 USENIX Annual Technical Conference (USENIX ATC 18), 601-614
Static type analysis by abstract interpretation of Python programs - R Monat, A Ouadjaout, A Miné - 34th European Conference on Object-Oriented Programming (ECOOP 2020) 36 2020
HyperAST: Enabling efficient analysis of software histories at scale - Quentin Le Dilavrec, Djamel Eddine Khelladi, Arnaud Blouin, Jean-Marc Jézéquel - Proceedings of the 37th IEEE/ACM International Conference on Automated Software Engineering, 2022
HyperDiff: Computing Source Code Diffs at Scale - Quentin Le Dilavrec, Djamel Eddine Khelladi, Arnaud Blouin, Jean-Marc Jézéquel Proceedings of the 31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering, 2023