An Industry Interview Study of Software Signing for Supply Chain Security
- URL: http://arxiv.org/abs/2406.08198v1
- Date: Wed, 12 Jun 2024 13:30:53 GMT
- Title: An Industry Interview Study of Software Signing for Supply Chain Security
- Authors: Kelechi G. Kalu, Tanya Singla, Chinenye Okafor, Santiago Torres-Arias, James C. Davis,
- Abstract summary: Many cybersecurity frameworks, standards, and regulations recommend the use of software signing.
Recent surveys have found that the adoption rate and quality of software signatures are low.
We interviewed 18 high-ranking industry practitioners across 13 organizations.
- Score: 5.433194344896805
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: Many software products are composed by the recursive integration of components from other teams or external parties. Each additional link in a software product's supply chain increases the risk of the injection of malicious behavior. To improve supply chain provenance, many cybersecurity frameworks, standards, and regulations recommend the use of software signing. However, recent surveys and measurement studies have found that the adoption rate and quality of software signatures are low. These findings raise questions about the practical application of software signing, the human factors influencing its adoption, and the challenges faced during its implementation. We lack in-depth industry perspectives on the challenges and practices of software signing. To understand software signing in practice, we interviewed 18 high-ranking industry practitioners across 13 organizations. We provide possible impacts of experienced software supply chain failures, security standards, and regulations on software signing adoption. We also study the challenges that affect an effective software signing implementation. To summarize our findings: (1) We present a refined model of the software supply chain factory model highlighting practitioner's signing practices; (2) We highlight the different challenges -- Technical, Organizational, and Human -- that hamper software signing implementation; (3) We report that expert subjects disagree on the importance of signing; (4) We describe how failure incidents and industry standards affect the adoption of software signing and other security techniques. Our findings contribute to the understanding of software supply chain security by highlighting the impact of human and organizational factors on Software Supply Chain risks and providing nuanced insights for effectively implementing Software Supply Chain security controls -- towards Software signing in practice.
Related papers
- Agent-Driven Automatic Software Improvement [55.2480439325792]
This research proposal aims to explore innovative solutions by focusing on the deployment of agents powered by Large Language Models (LLMs)
The iterative nature of agents, which allows for continuous learning and adaptation, can help surpass common challenges in code generation.
We aim to use the iterative feedback in these systems to further fine-tune the LLMs underlying the agents, becoming better aligned to the task of automated software improvement.
arXiv Detail & Related papers (2024-06-24T15:45:22Z) - Position: How Regulation Will Change Software Security Research [3.8165295526908243]
We argue that software engineering research needs to provide better tools and support that helps industry comply with the new standards.
We argue for a stronger cooperation between legal scholars and computer scientists.
arXiv Detail & Related papers (2024-06-06T15:16:44Z) - SoK: A Defense-Oriented Evaluation of Software Supply Chain Security [3.165193382160046]
We argue that the next stage of software supply chain security research and development will benefit greatly from a defense-oriented approach.
This paper introduces the AStRA model, a framework for representing fundamental software supply chain elements and their causal relationships.
arXiv Detail & Related papers (2024-05-23T18:53:48Z) - A Survey and Comparative Analysis of Security Properties of CAN Authentication Protocols [92.81385447582882]
The Controller Area Network (CAN) bus leaves in-vehicle communications inherently non-secure.
This paper reviews and compares the 15 most prominent authentication protocols for the CAN bus.
We evaluate protocols based on essential operational criteria that contribute to ease of implementation.
arXiv Detail & Related papers (2024-01-19T14:52:04Z) - Assessing the Threat Level of Software Supply Chains with the Log Model [4.1920378271058425]
The use of free and open source software (FOSS) components in all software systems is estimated to be above 90%.
This work presents a novel approach of assessing threat levels in FOSS supply chains with the log model.
arXiv Detail & Related papers (2023-11-20T12:44:37Z) - Investigate how developers and managers view security design in software [0.0]
We interviewed a team of 7 developers and 2 managers, who worked in two teams to build a real-life software product that was recently compromised by a cyber-attack.
We obtained their views on the reasons for the successful attack by the malware and took their recommendations on the important aspects to consider regarding security.
arXiv Detail & Related papers (2023-10-22T22:44:02Z) - Analyzing Maintenance Activities of Software Libraries [65.268245109828]
Industrial applications heavily integrate open-source software libraries nowadays.
I want to introduce an automatic monitoring approach for industrial applications to identify open-source dependencies that show negative signs regarding their current or future maintenance activities.
arXiv Detail & Related papers (2023-06-09T16:51:25Z) - Software supply chain: review of attacks, risk assessment strategies and
security controls [0.13812010983144798]
The software product is a source of cyber-attacks that target organizations by using their software supply chain as a distribution vector.
We analyze the most common software supply chain attacks by providing the latest trend of analyzed attacks.
This study introduces unique security controls to mitigate analyzed cyber-attacks and risks by linking them with real-life security incidence and attacks.
arXiv Detail & Related papers (2023-05-23T15:25:39Z) - Lessons from Formally Verified Deployed Software Systems (Extended version) [65.69802414600832]
This article examines a range of projects, in various application areas, that have produced formally verified systems and deployed them for actual use.
It considers the technologies used, the form of verification applied, the results obtained, and the lessons that the software industry should draw regarding its ability to benefit from formal verification techniques and tools.
arXiv Detail & Related papers (2023-01-05T18:18:46Z) - Empowered and Embedded: Ethics and Agile Processes [60.63670249088117]
We argue that ethical considerations need to be embedded into the (agile) software development process.
We put emphasis on the possibility to implement ethical deliberations in already existing and well established agile software development processes.
arXiv Detail & Related papers (2021-07-15T11:14:03Z) - Dos and Don'ts of Machine Learning in Computer Security [74.1816306998445]
Despite great potential, machine learning in security is prone to subtle pitfalls that undermine its performance.
We identify common pitfalls in the design, implementation, and evaluation of learning-based security systems.
We propose actionable recommendations to support researchers in avoiding or mitigating the pitfalls where possible.
arXiv Detail & Related papers (2020-10-19T13:09:31Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.