An Industry Interview Study of Software Signing for Supply Chain Security
- URL: http://arxiv.org/abs/2406.08198v1
- Date: Wed, 12 Jun 2024 13:30:53 GMT
- Title: An Industry Interview Study of Software Signing for Supply Chain Security
- Authors: Kelechi G. Kalu, Tanya Singla, Chinenye Okafor, Santiago Torres-Arias, James C. Davis,
- Abstract summary: Many cybersecurity frameworks, standards, and regulations recommend the use of software signing.
Recent surveys have found that the adoption rate and quality of software signatures are low.
We interviewed 18 high-ranking industry practitioners across 13 organizations.
- Score: 5.433194344896805
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: Many software products are composed by the recursive integration of components from other teams or external parties. Each additional link in a software product's supply chain increases the risk of the injection of malicious behavior. To improve supply chain provenance, many cybersecurity frameworks, standards, and regulations recommend the use of software signing. However, recent surveys and measurement studies have found that the adoption rate and quality of software signatures are low. These findings raise questions about the practical application of software signing, the human factors influencing its adoption, and the challenges faced during its implementation. We lack in-depth industry perspectives on the challenges and practices of software signing. To understand software signing in practice, we interviewed 18 high-ranking industry practitioners across 13 organizations. We provide possible impacts of experienced software supply chain failures, security standards, and regulations on software signing adoption. We also study the challenges that affect an effective software signing implementation. To summarize our findings: (1) We present a refined model of the software supply chain factory model highlighting practitioner's signing practices; (2) We highlight the different challenges -- Technical, Organizational, and Human -- that hamper software signing implementation; (3) We report that expert subjects disagree on the importance of signing; (4) We describe how failure incidents and industry standards affect the adoption of software signing and other security techniques. Our findings contribute to the understanding of software supply chain security by highlighting the impact of human and organizational factors on Software Supply Chain risks and providing nuanced insights for effectively implementing Software Supply Chain security controls -- towards Software signing in practice.
Related papers
- The Impact of SBOM Generators on Vulnerability Assessment in Python: A Comparison and a Novel Approach [56.4040698609393]
Software Bill of Materials (SBOM) has been promoted as a tool to increase transparency and verifiability in software composition.
Current SBOM generation tools often suffer from inaccuracies in identifying components and dependencies.
We propose PIP-sbom, a novel pip-inspired solution that addresses their shortcomings.
arXiv Detail & Related papers (2024-09-10T10:12:37Z) - S3C2 Summit 2023-11: Industry Secure Supply Chain Summit [60.025314516749205]
This paper summarizes the Industry Secure Supply Chain Summit held on November 16, 2023.
The goal of this summit was to enable open discussions, mutual sharing, and shedding light on common challenges that industry practitioners with practical experience face when securing their software supply chain.
arXiv Detail & Related papers (2024-08-29T13:40:06Z) - Security Challenges of Complex Space Applications: An Empirical Study [0.0]
I investigate the security challenges of the development and management of complex space applications.
I discuss the four most critical security challenges identified by the interviewed experts: verification of software artifacts, verification of the deployed application, single point of security failure, and data tampering by trusted stakeholders.
I propose future research of new DevSecOps strategies, practices, and tools which would enable better methods of software integrity verification in the space and defense industries.
arXiv Detail & Related papers (2024-08-15T10:02:46Z) - Agent-Driven Automatic Software Improvement [55.2480439325792]
This research proposal aims to explore innovative solutions by focusing on the deployment of agents powered by Large Language Models (LLMs)
The iterative nature of agents, which allows for continuous learning and adaptation, can help surpass common challenges in code generation.
We aim to use the iterative feedback in these systems to further fine-tune the LLMs underlying the agents, becoming better aligned to the task of automated software improvement.
arXiv Detail & Related papers (2024-06-24T15:45:22Z) - SoK: A Defense-Oriented Evaluation of Software Supply Chain Security [3.165193382160046]
We argue that the next stage of software supply chain security research and development will benefit greatly from a defense-oriented approach.
This paper introduces the AStRA model, a framework for representing fundamental software supply chain elements and their causal relationships.
arXiv Detail & Related papers (2024-05-23T18:53:48Z) - A Survey and Comparative Analysis of Security Properties of CAN Authentication Protocols [92.81385447582882]
The Controller Area Network (CAN) bus leaves in-vehicle communications inherently non-secure.
This paper reviews and compares the 15 most prominent authentication protocols for the CAN bus.
We evaluate protocols based on essential operational criteria that contribute to ease of implementation.
arXiv Detail & Related papers (2024-01-19T14:52:04Z) - Assessing the Threat Level of Software Supply Chains with the Log Model [4.1920378271058425]
The use of free and open source software (FOSS) components in all software systems is estimated to be above 90%.
This work presents a novel approach of assessing threat levels in FOSS supply chains with the log model.
arXiv Detail & Related papers (2023-11-20T12:44:37Z) - Investigate how developers and managers view security design in software [0.0]
We interviewed a team of 7 developers and 2 managers, who worked in two teams to build a real-life software product that was recently compromised by a cyber-attack.
We obtained their views on the reasons for the successful attack by the malware and took their recommendations on the important aspects to consider regarding security.
arXiv Detail & Related papers (2023-10-22T22:44:02Z) - Software supply chain: review of attacks, risk assessment strategies and
security controls [0.13812010983144798]
The software product is a source of cyber-attacks that target organizations by using their software supply chain as a distribution vector.
We analyze the most common software supply chain attacks by providing the latest trend of analyzed attacks.
This study introduces unique security controls to mitigate analyzed cyber-attacks and risks by linking them with real-life security incidence and attacks.
arXiv Detail & Related papers (2023-05-23T15:25:39Z) - Lessons from Formally Verified Deployed Software Systems (Extended version) [65.69802414600832]
This article examines a range of projects, in various application areas, that have produced formally verified systems and deployed them for actual use.
It considers the technologies used, the form of verification applied, the results obtained, and the lessons that the software industry should draw regarding its ability to benefit from formal verification techniques and tools.
arXiv Detail & Related papers (2023-01-05T18:18:46Z) - Empowered and Embedded: Ethics and Agile Processes [60.63670249088117]
We argue that ethical considerations need to be embedded into the (agile) software development process.
We put emphasis on the possibility to implement ethical deliberations in already existing and well established agile software development processes.
arXiv Detail & Related papers (2021-07-15T11:14:03Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.