An Industry Interview Study of Software Signing for Supply Chain Security

TL;DR

This study explores industry perspectives on software signing practices, challenges, and impacts in supply chain security through interviews with security practitioners, revealing diverse challenges and attitudes affecting adoption.

Contribution

It provides an in-depth qualitative analysis of real-world challenges and perceptions related to software signing in industry, which was previously lacking.

Findings

Practitioners highlight technical, organizational, and human challenges.

Experts disagree on the importance of software signing.

Internal and external events influence signing adoption.

Abstract

Many software products are composed of components integrated from other teams or external parties. Each additional link in a software product's supply chain increases the risk of the injection of malicious behavior. To improve supply chain provenance, many cybersecurity frameworks, standards, and regulations recommend the use of software signing. However, recent surveys and measurement studies have found that the adoption rate and quality of software signatures are low. We lack in-depth industry perspectives on the challenges and practices of software signing. To understand software signing in practice, we interviewed 18 experienced security practitioners across 13 organizations. We study the challenges that affect the effective implementation of software signing in practice. We also provide possible impacts of experienced software supply chain failures, security standards, and regulations on software signing adoption. To summarize our findings: (1) We present a refined model of the software supply chain factory model highlighting practitioner's signing practices; (2) We highlight the different challenges-technical, organizational, and human-that hamper software signing implementation; (3) We report that experts disagree on the importance of signing; and (4) We describe how internal and external events affect the adoption of software signing. Our work describes the considerations for adopting software signing as one aspect of the broader goal of improved software supply chain security.