SoK: Analysis of Software Supply Chain Security by Establishing Secure Design Properties

TL;DR

This paper systematically analyzes software supply chain security by defining key security properties, reviewing current approaches, and identifying gaps to improve the robustness of supply chain defenses.

Contribution

It introduces three core security properties for supply chain security and maps existing approaches to these properties, providing a comprehensive framework and identifying research gaps.

Findings

Current security approaches vary in effectiveness

Mapping approaches to security properties reveals gaps

Case studies illustrate practical supply chain security issues

Abstract

This paper systematizes knowledge about secure software supply chain patterns. It identifies four stages of a software supply chain attack and proposes three security properties crucial for a secured supply chain: transparency, validity, and separation. The paper describes current security approaches and maps them to the proposed security properties, including research ideas and case studies of supply chains in practice. It discusses the strengths and weaknesses of current approaches relative to known attacks and details the various security frameworks put out to ensure the security of the software supply chain. Finally, the paper highlights potential gaps in actor and operation-centered supply chain security techniques