Evaluating Software Supply Chain Security in Research Software

TL;DR

This paper assesses the security of research software, revealing weak security practices and proposing practical recommendations to enhance software supply chain security and protect scientific integrity.

Contribution

It provides the first large-scale analysis of research software security using the OpenSSF Scorecard and offers actionable guidance for improvement.

Findings

Average security score of 3.5/10 across repositories

Rare implementation of signed releases and branch protection

Recommendations for low-effort security improvements

Abstract

The security of research software is essential for ensuring the integrity and reproducibility of scientific results. However, research software security is still largely unexplored. Due to its dependence on open source components and distributed development practices, research software is particularly vulnerable to supply chain attacks. This study analyses 3,248 high-quality, largely peer-reviewed research software repositories using the OpenSSF Scorecard. We find a generally weak security posture with an average score of 3.5/10. Important practices, such as signed releases and branch protection, are rarely implemented. Finally, we present actionable, low-effort recommendations that can help research teams improve software security and mitigate potential threats to scientific integrity.