pith. sign in

arxiv: 2405.14993 · v2 · pith:F2TTXFOBnew · submitted 2024-05-23 · 💻 cs.CR

SoK: A Defense-Oriented Evaluation of Software Supply Chain Security

classification 💻 cs.CR
keywords softwarechainsupplyattackssecuritymodelresearchcomplex
0
0 comments X
read the original abstract

The software supply chain comprises a highly complex set of operations, processes, tools, institutions and human factors involved in creating a piece of software. A number of high-profile attacks that exploit a weakness in this complex ecosystem have spurred research in identifying classes of supply chain attacks. Yet, practitioners often lack the necessary information to understand their security posture and implement suitable defenses against these attacks. We argue that the next stage of software supply chain security research and development will benefit greatly from a defense-oriented approach that focuses on holistic bottom-up solutions. To this end, this paper introduces the AStRA model, a framework for representing fundamental software supply chain elements and their causal relationships. Using this model, we identify software supply chain security objectives that are needed to mitigate common attacks and systematize knowledge on recent and well-established security techniques for their ability to meet these objectives. We validate our model against prior attacks and taxonomies. Finally, we identify emergent research gaps and propose opportunities to develop novel software development tools and systems that are secure-by-design.

This paper has not been read by Pith yet.

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Forward citations

Cited by 3 Pith papers

Reviewed papers in the Pith corpus that reference this work. Sorted by Pith novelty score.

  1. On Good Authority: Release-Authority Measurement for Registry-Mediated Package Ecosystems

    cs.SE 2026-06 conditional novelty 8.0

    The study defines a predecessor-aware release-authority record, applies it to 45,812 releases across five registries, and identifies 204 public release-path discontinuities with practitioner-validated review rules.

  2. On Good Authority: Release-Authority Measurement for Registry-Mediated Package Ecosystems

    cs.SE 2026-06 unverdicted novelty 7.0

    Introduces a predecessor-aware release-authority record and applies it to 43,100 comparisons across five registries to surface 204 policy-triggering release-path discontinuities validated by blinded practitioner review.

  3. An Evidence-driven Protocol for Trustworthy CI Pipelines

    cs.CR 2026-05 unverdicted novelty 5.0

    An evidence-driven protocol binds deterministic builds with TEE attestations to deliver verifiable integrity and provenance for CI artifacts without requiring consumer re-execution.