SoK: A Defense-Oriented Evaluation of Software Supply Chain Security

TL;DR

This paper reviews software supply chain security, introduces the AStRA model for understanding its elements and relationships, and advocates for a defense-oriented approach to improve security practices and develop secure-by-design tools.

Contribution

It presents the AStRA model for representing supply chain elements and their causal relationships, systematizes security objectives, and identifies research gaps for future secure development tools.

Findings

Validated the AStRA model against prior attacks and taxonomies.

Identified key security objectives for supply chain defense.

Proposed opportunities for secure-by-design development tools.

Abstract

The software supply chain comprises a highly complex set of operations, processes, tools, institutions and human factors involved in creating a piece of software. A number of high-profile attacks that exploit a weakness in this complex ecosystem have spurred research in identifying classes of supply chain attacks. Yet, practitioners often lack the necessary information to understand their security posture and implement suitable defenses against these attacks. We argue that the next stage of software supply chain security research and development will benefit greatly from a defense-oriented approach that focuses on holistic bottom-up solutions. To this end, this paper introduces the AStRA model, a framework for representing fundamental software supply chain elements and their causal relationships. Using this model, we identify software supply chain security objectives that are needed to mitigate common attacks and systematize knowledge on recent and well-established security techniques for their ability to meet these objectives. We validate our model against prior attacks and taxonomies. Finally, we identify emergent research gaps and propose opportunities to develop novel software development tools and systems that are secure-by-design.