An Industry Interview Study of Software Signing for Supply Chain Security

• URL: http://arxiv.org/abs/2406.08198v2
• Date: Thu, 30 Jan 2025 01:19:49 GMT
• Title: An Industry Interview Study of Software Signing for Supply Chain Security
• Authors: Kelechi G. Kalu, Tanya Singla, Chinenye Okafor, Santiago Torres-Arias, James C. Davis,
• Abstract summary: We study the challenges that affect the effective implementation of software signing in practice. We highlight the different challenges-technical, organizational, and human-that hamper software signing implementation.
• Score: 5.433194344896805
• License:
• Abstract: Many software products are composed of components integrated from other teams or external parties. Each additional link in a software product's supply chain increases the risk of the injection of malicious behavior. To improve supply chain provenance, many cybersecurity frameworks, standards, and regulations recommend the use of software signing. However, recent surveys and measurement studies have found that the adoption rate and quality of software signatures are low. We lack in-depth industry perspectives on the challenges and practices of software signing. To understand software signing in practice, we interviewed 18 experienced security practitioners across 13 organizations. We study the challenges that affect the effective implementation of software signing in practice. We also provide possible impacts of experienced software supply chain failures, security standards, and regulations on software signing adoption. To summarize our findings: (1) We present a refined model of the software supply chain factory model highlighting practitioner's signing practices; (2) We highlight the different challenges-technical, organizational, and human-that hamper software signing implementation; (3) We report that experts disagree on the importance of signing; and (4) We describe how internal and external events affect the adoption of software signing. Our work describes the considerations for adopting software signing as one aspect of the broader goal of improved software supply chain security.

Related papers

• The Impact of SBOM Generators on Vulnerability Assessment in Python: A Comparison and a Novel Approach [56.4040698609393]
  Software Bill of Materials (SBOM) has been promoted as a tool to increase transparency and verifiability in software composition. Current SBOM generation tools often suffer from inaccuracies in identifying components and dependencies. We propose PIP-sbom, a novel pip-inspired solution that addresses their shortcomings.
  arXiv  Detail & Related papers  (2024-09-10T10:12:37Z)
• S3C2 Summit 2023-11: Industry Secure Supply Chain Summit [60.025314516749205]
  This paper summarizes the Industry Secure Supply Chain Summit held on November 16, 2023. The goal of this summit was to enable open discussions, mutual sharing, and shedding light on common challenges that industry practitioners with practical experience face when securing their software supply chain.
  arXiv  Detail & Related papers  (2024-08-29T13:40:06Z)
• Security Challenges of Complex Space Applications: An Empirical Study [0.0]
  I investigate the security challenges of the development and management of complex space applications. I discuss the four most critical security challenges identified by the interviewed experts: verification of software artifacts, verification of the deployed application, single point of security failure, and data tampering by trusted stakeholders. I propose future research of new DevSecOps strategies, practices, and tools which would enable better methods of software integrity verification in the space and defense industries.
  arXiv  Detail & Related papers  (2024-08-15T10:02:46Z)
• Agent-Driven Automatic Software Improvement [55.2480439325792]
  This research proposal aims to explore innovative solutions by focusing on the deployment of agents powered by Large Language Models (LLMs) The iterative nature of agents, which allows for continuous learning and adaptation, can help surpass common challenges in code generation. We aim to use the iterative feedback in these systems to further fine-tune the LLMs underlying the agents, becoming better aligned to the task of automated software improvement.
  arXiv  Detail & Related papers  (2024-06-24T15:45:22Z)
• Position: How Regulation Will Change Software Security Research [3.8165295526908243]
  We argue that software engineering research needs to provide better tools and support that helps industry comply with the new standards. We argue for a stronger cooperation between legal scholars and computer scientists.
  arXiv  Detail & Related papers  (2024-06-06T15:16:44Z)
• SoK: A Defense-Oriented Evaluation of Software Supply Chain Security [3.165193382160046]
  We argue that the next stage of software supply chain security research and development will benefit greatly from a defense-oriented approach. This paper introduces the AStRA model, a framework for representing fundamental software supply chain elements and their causal relationships.
  arXiv  Detail & Related papers  (2024-05-23T18:53:48Z)
• Assessing the Threat Level of Software Supply Chains with the Log Model [4.1920378271058425]
  The use of free and open source software (FOSS) components in all software systems is estimated to be above 90%. This work presents a novel approach of assessing threat levels in FOSS supply chains with the log model.
  arXiv  Detail & Related papers  (2023-11-20T12:44:37Z)
• Investigate how developers and managers view security design in software [0.0]
  We interviewed a team of 7 developers and 2 managers, who worked in two teams to build a real-life software product that was recently compromised by a cyber-attack. We obtained their views on the reasons for the successful attack by the malware and took their recommendations on the important aspects to consider regarding security.
  arXiv  Detail & Related papers  (2023-10-22T22:44:02Z)
• Lessons from Formally Verified Deployed Software Systems (Extended version) [65.69802414600832]
  This article examines a range of projects, in various application areas, that have produced formally verified systems and deployed them for actual use. It considers the technologies used, the form of verification applied, the results obtained, and the lessons that the software industry should draw regarding its ability to benefit from formal verification techniques and tools.
  arXiv  Detail & Related papers  (2023-01-05T18:18:46Z)
• Empowered and Embedded: Ethics and Agile Processes [60.63670249088117]
  We argue that ethical considerations need to be embedded into the (agile) software development process. We put emphasis on the possibility to implement ethical deliberations in already existing and well established agile software development processes.
  arXiv  Detail & Related papers  (2021-07-15T11:14:03Z)
• Improving Compositionality of Neural Networks by Decoding Representations to Inputs [83.97012077202882]
  We bridge the benefits of traditional and deep learning programs by jointly training a generative model to constrain neural network activations to "decode" back to inputs. We demonstrate applications of decodable representations to out-of-distribution detection, adversarial examples, calibration, and fairness.
  arXiv  Detail & Related papers  (2021-06-01T20:07:16Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.