Securing the Software Package Supply Chain for Critical Systems

TL;DR

This paper discusses the importance of securing software supply chains for critical systems, highlighting a new framework that uses permissioned ledgers and multi-party signatures to prevent attacks and ensure stakeholder verification.

Contribution

It introduces a novel secure delivery framework for software supply chains that integrates permissioned ledgers with Proof of Authority and multi-party signatures.

Findings

Enhanced security against supply chain attacks

Allows stakeholder verification without disrupting existing systems

Prevents cascading failures in critical infrastructure

Abstract

Software systems have grown as an indispensable commodity used across various industries, and almost all essential services depend on them for effective operation. The software is no longer an independent or stand-alone piece of code written by a developer but rather a collection of packages designed by multiple developers across the globe. Ensuring the reliability and resilience of these systems is crucial since emerging threats target software supply chains, as demonstrated by the widespread SolarWinds hack in late 2020. These supply chains extend beyond patches and updates, involving distribution networks throughout the software lifecycle. Industries like smart grids, manufacturing, healthcare, and finance rely on interconnected software systems and their dependencies for effective functioning. To secure software modules and add-ons, robust distribution architectures are essential. The proposed chapter enhances the existing delivery frameworks by including a permissioned ledger with Proof of Authority consensus and multi-party signatures. The proposed system aims to prevent attacks while permitting every stakeholder to verify the same. Critical systems can interface with the secure pipeline without disrupting existing functionalities, thus preventing the cascading effect of an attack at any point in the supply chain.