Proactive Software Supply Chain Risk Management Framework (P-SSCRM)
- URL: http://arxiv.org/abs/2404.12300v4
- Date: Thu, 15 May 2025 17:52:00 GMT
- Title: Proactive Software Supply Chain Risk Management Framework (P-SSCRM)
- Authors: Laurie Williams, Sammy Migues, Jamie Boote, Ben Hutchison,
- Abstract summary: Proactive Software Supply Chain Risk Management Framework is designed to help you understand and plan a secure software supply chain risk management initiative.<n>It was created through a process of understanding and analyzing real world data from nine industry leading software supply chain risk management initiatives.<n>It presents a model for understanding, quantifying, and developing a secure software supply chain risk management program.
- Score: 0.7999703756441756
- License: http://creativecommons.org/licenses/by-sa/4.0/
- Abstract: The Proactive Software Supply Chain Risk Management Framework (P SSCRM) described in this document is designed to help you understand and plan a secure software supply chain risk management initiative. P SSCRM was created through a process of understanding and analyzing real world data from nine industry leading software supply chain risk management initiatives as well as through the analysis and unification of ten government and industry documents, frameworks, and standards. Although individual methodologies and standards differ, many initiatives and standards share common ground. P SSCRM describes this common ground and presents a model for understanding, quantifying, and developing a secure software supply chain risk management program and determining where your organization's existing efforts stand when contrasted with other real world software supply chain risk management initiatives.
Related papers
- The "4W+1H" of Software Supply Chain Security Checklist for Critical Infrastructure [10.196356816275996]
Increasing frequency and sophistication of software supply chain attacks pose severe risks to critical infrastructure sectors.<n>Despite growing awareness, existing security practices remain fragmented and insufficient.<n>Few existing frameworks are explicitly tailored to CI domains.
arXiv Detail & Related papers (2025-10-30T06:32:11Z) - Establishing a Baseline of Software Supply Chain Security Task Adoption by Software Organizations [0.3079566893278951]
Software supply chain attacks have increased exponentially since 2020.<n>Tasks that mitigate the novel attack vectors through software components and the build infrastructure are in the early stages of adoption.
arXiv Detail & Related papers (2025-09-09T18:39:03Z) - Enhancing Software Supply Chain Security Through STRIDE-Based Threat Modelling of CI/CD Pipelines [1.3535770763481907]
This study applies a structured threat modeling approach to identify and mitigate risks throughout the Continuous Integration/ Continuous Deployment lifecycle.<n>Threats are documented and to comprehensive security controls drawn from standards like NIST SP 800-218, Top 10 CI/CD risks, and the SLSA framework.<n>This approach provides a pragmatic roadmap for enhancing CI/CD pipeline security against evolving software supply chain threats.
arXiv Detail & Related papers (2025-06-06T19:06:59Z) - From nuclear safety to LLM security: Applying non-probabilistic risk management strategies to build safe and secure LLM-powered systems [49.1574468325115]
Large language models (LLMs) offer unprecedented and growing capabilities, but also introduce complex safety and security challenges.<n>Previous research found that risk management in various fields of engineering such as nuclear or civil engineering is often solved by generic (i.e. field-agnostic) strategies.<n>Here we show how emerging risks in LLM-powered systems could be met with 100+ of these non-probabilistic strategies to risk management.
arXiv Detail & Related papers (2025-05-20T16:07:41Z) - S3C2 Summit 2024-09: Industry Secure Software Supply Chain Summit [50.93790634176803]
Over the past several years, there has been an exponential increase in cyberattacks targeting software supply chains.<n>The ever-evolving threat of software supply chain attacks has garnered interest from the software industry and the US government.<n>Three researchers from the NSF-backed Secure Software Supply Chain Center (S3C2) conducted a Secure Software Supply Chain Summit with a diverse set of 12 practitioners from 9 companies.
arXiv Detail & Related papers (2025-05-15T17:48:14Z) - Closing the Chain: How to reduce your risk of being SolarWinds, Log4j, or XZ Utils [0.8111409409504281]
We map the attack techniques used in the SolarWinds, Log4j, and XZ Utils attacks to mitigating framework tasks.
The three mitigation tasks with the highest scores are role-based access control, system monitoring, and boundary protection.
arXiv Detail & Related papers (2025-03-15T16:22:09Z) - An Analytics-Driven Approach to Enhancing Supply Chain Visibility with Graph Neural Networks and Federated Learning [52.79646338275159]
We propose a novel approach that integrates Federated Learning (FL) and Graph Convolutional Neural Networks (GCNs) to enhance supply chain visibility.
FL enables collaborative model training across countries by facilitating information sharing without requiring raw data exchange.
GCNs empower the framework to capture intricate relational patterns within knowledge graphs, enabling accurate link prediction to uncover hidden connections.
arXiv Detail & Related papers (2025-03-10T12:15:45Z) - A Frontier AI Risk Management Framework: Bridging the Gap Between Current AI Practices and Established Risk Management [0.0]
The recent development of powerful AI systems has highlighted the need for robust risk management frameworks.
This paper presents a comprehensive risk management framework for the development of frontier AI.
arXiv Detail & Related papers (2025-02-10T16:47:00Z) - SoK: Unifying Cybersecurity and Cybersafety of Multimodal Foundation Models with an Information Theory Approach [58.93030774141753]
Multimodal foundation models (MFMs) represent a significant advancement in artificial intelligence.
This paper conceptualizes cybersafety and cybersecurity in the context of multimodal learning.
We present a comprehensive Systematization of Knowledge (SoK) to unify these concepts in MFMs, identifying key threats.
arXiv Detail & Related papers (2024-11-17T23:06:20Z) - S3C2 Summit 2023-11: Industry Secure Supply Chain Summit [60.025314516749205]
This paper summarizes the Industry Secure Supply Chain Summit held on November 16, 2023.
The goal of this summit was to enable open discussions, mutual sharing, and shedding light on common challenges that industry practitioners with practical experience face when securing their software supply chain.
arXiv Detail & Related papers (2024-08-29T13:40:06Z) - Enhancing Supply Chain Visibility with Knowledge Graphs and Large Language Models [49.898152180805454]
This paper presents a novel framework leveraging Knowledge Graphs (KGs) and Large Language Models (LLMs) to enhance supply chain visibility.
Our zero-shot, LLM-driven approach automates the extraction of supply chain information from diverse public sources.
With high accuracy in NER and RE tasks, it provides an effective tool for understanding complex, multi-tiered supply networks.
arXiv Detail & Related papers (2024-08-05T17:11:29Z) - Enhancing Software Supply Chain Resilience: Strategy For Mitigating Software Supply Chain Security Risks And Ensuring Security Continuity In Development Lifecycle [0.0]
This article delves into the strategic approaches and preventive measures necessary to safeguard the software supply chain against evolving threats.
It aims to foster an understanding of the challenges and vulnerabilities inherent in software supply chain resilience.
The article contributes to the ongoing effort to strengthen the security posture of software supply chains.
arXiv Detail & Related papers (2024-07-08T18:10:47Z) - AI Risk Categorization Decoded (AIR 2024): From Government Regulations to Corporate Policies [88.32153122712478]
We identify 314 unique risk categories organized into a four-tiered taxonomy.
At the highest level, this taxonomy encompasses System & Operational Risks, Content Safety Risks, Societal Risks, and Legal & Rights Risks.
We aim to advance AI safety through information sharing across sectors and the promotion of best practices in risk mitigation for generative AI models and systems.
arXiv Detail & Related papers (2024-06-25T18:13:05Z) - An Industry Interview Study of Software Signing for Supply Chain Security [5.433194344896805]
Many cybersecurity frameworks, standards, and regulations recommend the use of software signing.
Recent surveys have found that the adoption rate and quality of software signatures are low.
We interviewed 18 high-ranking industry practitioners across 13 organizations.
arXiv Detail & Related papers (2024-06-12T13:30:53Z) - SoK: A Defense-Oriented Evaluation of Software Supply Chain Security [3.165193382160046]
We argue that the next stage of software supply chain security research and development will benefit greatly from a defense-oriented approach.
This paper introduces the AStRA model, a framework for representing fundamental software supply chain elements and their causal relationships.
arXiv Detail & Related papers (2024-05-23T18:53:48Z) - Assessing the Threat Level of Software Supply Chains with the Log Model [4.1920378271058425]
The use of free and open source software (FOSS) components in all software systems is estimated to be above 90%.
This work presents a novel approach of assessing threat levels in FOSS supply chains with the log model.
arXiv Detail & Related papers (2023-11-20T12:44:37Z) - Software supply chain: review of attacks, risk assessment strategies and
security controls [0.13812010983144798]
The software product is a source of cyber-attacks that target organizations by using their software supply chain as a distribution vector.
We analyze the most common software supply chain attacks by providing the latest trend of analyzed attacks.
This study introduces unique security controls to mitigate analyzed cyber-attacks and risks by linking them with real-life security incidence and attacks.
arXiv Detail & Related papers (2023-05-23T15:25:39Z) - ThreatKG: An AI-Powered System for Automated Open-Source Cyber Threat Intelligence Gathering and Management [65.0114141380651]
ThreatKG is an automated system for OSCTI gathering and management.
It efficiently collects a large number of OSCTI reports from multiple sources.
It uses specialized AI-based techniques to extract high-quality knowledge about various threat entities.
arXiv Detail & Related papers (2022-12-20T16:13:59Z) - A System for Automated Open-Source Threat Intelligence Gathering and
Management [53.65687495231605]
SecurityKG is a system for automated OSCTI gathering and management.
It uses a combination of AI and NLP techniques to extract high-fidelity knowledge about threat behaviors.
arXiv Detail & Related papers (2021-01-19T18:31:35Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.