An Empirically Grounded Reference Architecture for Software Supply Chain Metadata Management

• URL: http://arxiv.org/abs/2310.06300v2
• Date: Sat, 8 Jun 2024 07:48:11 GMT
• Title: An Empirically Grounded Reference Architecture for Software Supply Chain Metadata Management
• Authors: Nguyen Khoi Tran, Samodha Pallewatta, M. Ali Babar,
• Abstract summary: Adopting SSC metadata requires organisations to procure or develop a Software Supply Chain Metadata Management system (SCM2) SCM2 is a suite of software tools for performing life cycle activities of SSC metadata documents such as creation, signing, distribution, and consumption. This paper presents an empirically grounded Reference Architecture (RA) comprising of a domain model and an architectural blueprint for SCM2 systems.
• Score: 2.1574657220935602
• License: http://creativecommons.org/licenses/by-nc-nd/4.0/
• Abstract: With the rapid rise in Software Supply Chain (SSC) attacks, organisations need thorough and trustworthy visibility over the entire SSC of their software inventory to detect risks early and identify compromised assets rapidly in the event of an SSC attack. One way to achieve such visibility is through SSC metadata, machine-readable and authenticated documents describing an artefact's lifecycle. Adopting SSC metadata requires organisations to procure or develop a Software Supply Chain Metadata Management system (SCM2), a suite of software tools for performing life cycle activities of SSC metadata documents such as creation, signing, distribution, and consumption. Selecting or developing an SCM2 is challenging due to the lack of a comprehensive domain model and architectural blueprint to aid practitioners in navigating the vast design space of SSC metadata terminologies, frameworks, and solutions. This paper addresses the above-mentioned challenge by presenting an empirically grounded Reference Architecture (RA) comprising of a domain model and an architectural blueprint for SCM2 systems. Our proposed RA is constructed systematically on an empirical foundation built with industry-driven and peer-reviewed SSC security frameworks. Our theoretical evaluation, which consists of an architectural mapping of five prominent SSC security tools on the RA, ensures its validity and applicability, thus affirming the proposed RA as an effective framework for analysing existing SCM2 solutions and guiding the engineering of new SCM2 systems.

Related papers

• Drop the Golden Apples: Identifying Third-Party Reuse by DB-Less Software Composition Analysis [11.193453132177222]
  Third-party libraries (TPLs) in modern software development introduce significant security and compliance risks. We propose the first framework of DB-Less Software Composition Analysis (SCA) to get rid of the traditional heavy database. Our experiments on two typical scenarios, native library identification for Android and copy-based TPL reuse for C/C++, have demonstrated the favorable future for implementing database-less strategies in SCA.
  arXiv  Detail & Related papers  (2025-03-28T16:25:24Z)
• Semi-Automated Design of Data-Intensive Architectures [49.1574468325115]
  This paper introduces a development methodology for data-intensive architectures. It guides architects in (i) designing a suitable architecture for their specific application scenario, and (ii) selecting an appropriate set of concrete systems to implement the application. We show that the description languages we adopt can capture the key aspects of data-intensive architectures proposed by researchers and practitioners.
  arXiv  Detail & Related papers  (2025-03-21T16:01:11Z)
• SHACL-SKOS Based Knowledge Representation of Material Safety Data Sheet (SDS) for the Pharmaceutical Industry [0.07037008937757394]
  This paper outlines our SHACL-SKOS system architectural design and showcases our implementation for an industrial application streamlining the generation of a composite shipping cover sheet.
  arXiv  Detail & Related papers  (2025-02-11T20:44:45Z)
• Securing Legacy Communication Networks via Authenticated Cyclic Redundancy Integrity Check [98.34702864029796]
  We propose Authenticated Cyclic Redundancy Integrity Check (ACRIC) ACRIC preserves backward compatibility without requiring additional hardware and is protocol agnostic. We show that ACRIC offers robust security with minimal transmission overhead ( 1 ms)
  arXiv  Detail & Related papers  (2024-11-21T18:26:05Z)
• Securing Satellite Link Segment: A Secure-by-Component Design [2.933774251508721]
  This paper examines two Earth observation (EO) missions, one utilizing a single low Earth orbit (LEO) satellite and another through a network of satellites, employing a secure-by-component design strategy. This approach begins by defining the scope of technical security engineering, decomposing the system into components and data flows, and enumerating attack surfaces. It proceeds by identifying threats to low-level components, applying secure-by-design principles, redesigning components into secure blocks in alignment with the Space Attack Research & Tactic Analysis (SPARTA) framework, and crafting statements to the system design.
  arXiv  Detail & Related papers  (2024-11-19T16:45:12Z)
• CTINEXUS: Leveraging Optimized LLM In-Context Learning for Constructing Cybersecurity Knowledge Graphs Under Data Scarcity [49.657358248788945]
  Textual descriptions in cyber threat intelligence (CTI) reports are rich sources of knowledge about cyber threats. Current CTI extraction methods lack flexibility and generalizability, often resulting in inaccurate and incomplete knowledge extraction. We propose CTINexus, a novel framework leveraging optimized in-context learning (ICL) of large language models.
  arXiv  Detail & Related papers  (2024-10-28T14:18:32Z)
• SecDOAR: A Software Reference Architecture for Security Data Orchestration, Analysis and Reporting [5.161531917413708]
  We have presented an SRA for Security Data Orchestration, Analysis and Reporting (SecDOAR) The SecDOAR SRA has been designed by leveraging existing scientific literature and security data standards. The proposed SecDOAR SRA can be used by researchers and practitioners as a structured approach for designing and implementing cybersecurity monitoring, analysis and reporting systems.
  arXiv  Detail & Related papers  (2024-08-23T08:11:27Z)
• An FPGA-Based Open-Source Hardware-Software Framework for Side-Channel Security Research [1.77513002450736]
  Attacks based on side-channel analysis (SCA) pose a severe security threat to modern computing platforms. This manuscript introduces a hardware-software framework meant for SCA research on FPGA targets. It delivers an IoT-class system-on-chip (SoC) that includes a RISC-V CPU.
  arXiv  Detail & Related papers  (2024-07-24T17:06:21Z)
• Securing the Open RAN Infrastructure: Exploring Vulnerabilities in Kubernetes Deployments [60.51751612363882]
  We investigate the security implications of and software-based Open Radio Access Network (RAN) systems. We highlight the presence of potential vulnerabilities and misconfigurations in the infrastructure supporting the Near Real-Time RAN Controller (RIC) cluster.
  arXiv  Detail & Related papers  (2024-05-03T07:18:45Z)
• Exploiting Self-Supervised Constraints in Image Super-Resolution [72.35265021054471]
  This paper introduces a novel self-supervised constraint for single image super-resolution, termed SSC-SR. SSC-SR uniquely addresses the divergence in image complexity by employing a dual asymmetric paradigm and a target model updated via exponential moving average to enhance stability. Empirical evaluations reveal that our SSC-SR framework delivers substantial enhancements on a variety of benchmark datasets, achieving an average increase of 0.1 dB over EDSR and 0.06 dB over SwinIR.
  arXiv  Detail & Related papers  (2024-03-30T06:18:50Z)
• DevPhish: Exploring Social Engineering in Software Supply Chain Attacks on Developers [0.3754193239793766]
  adversaries utilize Social Engineering (SocE) techniques specifically aimed at software developers. This paper aims to comprehensively explore the existing and emerging SocE tactics employed by adversaries to trick Software Engineers (SWEs) into delivering malicious software.
  arXiv  Detail & Related papers  (2024-02-28T15:24:43Z)
• Remote Sensing Image Classification using Transfer Learning and Attention Based Deep Neural Network [59.86658316440461]
  We propose a deep learning based framework for RSISC, which makes use of the transfer learning technique and multihead attention scheme. The proposed deep learning framework is evaluated on the benchmark NWPU-RESISC45 dataset and achieves the best classification accuracy of 94.7%.
  arXiv  Detail & Related papers  (2022-06-20T10:05:38Z)
• Wider or Deeper Neural Network Architecture for Acoustic Scene Classification with Mismatched Recording Devices [59.86658316440461]
  We present a robust and low complexity system for Acoustic Scene Classification (ASC) We first construct an ASC baseline system in which a novel inception-residual-based network architecture is proposed to deal with the mismatched recording device issue. To further improve the performance but still satisfy the low complexity model, we apply two techniques: ensemble of multiple spectrograms and channel reduction.
  arXiv  Detail & Related papers  (2022-03-23T10:27:41Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.