Evaluating Software Supply Chain Security in Research Software

• URL: http://arxiv.org/abs/2508.03856v1
• Date: Tue, 05 Aug 2025 19:14:37 GMT
• Title: Evaluating Software Supply Chain Security in Research Software
• Authors: Richard Hegewald, Rebecca Beyer,
• Abstract summary: This study analyses 3,248 high-quality, largely peer-reviewed research software repositories using the OpenSSF Scorecard.<n>We find a generally weak security posture with an average score of 3.5/10.<n> Important practices, such as signed releases and branch protection, are rarely implemented.
• Score: 0.0
• License: http://creativecommons.org/licenses/by-sa/4.0/
• Abstract: The security of research software is essential for ensuring the integrity and reproducibility of scientific results. However, research software security is still largely unexplored. Due to its dependence on open source components and distributed development practices, research software is particularly vulnerable to supply chain attacks. This study analyses 3,248 high-quality, largely peer-reviewed research software repositories using the OpenSSF Scorecard. We find a generally weak security posture with an average score of 3.5/10. Important practices, such as signed releases and branch protection, are rarely implemented. Finally, we present actionable, low-effort recommendations that can help research teams improve software security and mitigate potential threats to scientific integrity.

Related papers

• How Should We Enhance the Safety of Large Reasoning Models: An Empirical Study [90.34190170330481]
  Large Reasoning Models (LRMs) have achieved remarkable success on reasoning-intensive tasks such as mathematics and programming.<n>However, their enhanced reasoning capabilities do not necessarily translate to improved safety performance.<n>We present a comprehensive empirical study on how to enhance the safety of LRMs through Supervised Fine-Tuning.
  arXiv  Detail & Related papers  (2025-05-21T11:45:29Z)
• S3C2 Summit 2024-09: Industry Secure Software Supply Chain Summit [50.93790634176803]
  Over the past several years, there has been an exponential increase in cyberattacks targeting software supply chains.<n>The ever-evolving threat of software supply chain attacks has garnered interest from the software industry and the US government.<n>Three researchers from the NSF-backed Secure Software Supply Chain Center (S3C2) conducted a Secure Software Supply Chain Summit with a diverse set of 12 practitioners from 9 companies.
  arXiv  Detail & Related papers  (2025-05-15T17:48:14Z)
• Software Security in Software-Defined Networking: A Systematic Literature Review [6.462594894731934]
  Software-defined networking (SDN) has shifted network management by decoupling the data and control planes.<n>SDN's programmability has fueled its popularity but may have opened issues extending the attack surface by introducing vulnerable software.
  arXiv  Detail & Related papers  (2025-02-18T03:05:21Z)
• On Categorizing Open Source Software Security Vulnerability Reporting Mechanisms on GitHub [1.7174932174564534]
  Open-source projects are essential to software development, but publicly disclosing vulnerabilities without fixes increases the risk of exploitation.<n>The Open Source Security Foundation (OpenSSF) addresses this issue by promoting robust security policies to enhance project security.<n>Current research reveals that many projects perform poorly on OpenSSF criteria, indicating a need for stronger security practices.
  arXiv  Detail & Related papers  (2025-02-11T09:23:24Z)
• The Impact of SBOM Generators on Vulnerability Assessment in Python: A Comparison and a Novel Approach [56.4040698609393]
  Software Bill of Materials (SBOM) has been promoted as a tool to increase transparency and verifiability in software composition. Current SBOM generation tools often suffer from inaccuracies in identifying components and dependencies. We propose PIP-sbom, a novel pip-inspired solution that addresses their shortcomings.
  arXiv  Detail & Related papers  (2024-09-10T10:12:37Z)
• Trust, but Verify: Evaluating Developer Behavior in Mitigating Security Vulnerabilities in Open-Source Software Projects [0.11999555634662631]
  This study investigates vulnerabilities in dependencies of sampled open-source software (OSS) projects. We have identified common issues in outdated or unmaintained dependencies, that pose significant security risks. Results suggest that reducing the number of direct dependencies and prioritizing well-established libraries with strong security records are effective strategies for enhancing the software security landscape.
  arXiv  Detail & Related papers  (2024-08-26T13:46:48Z)
• Safetywashing: Do AI Safety Benchmarks Actually Measure Safety Progress? [59.96471873997733]
  We propose an empirical foundation for developing more meaningful safety metrics and define AI safety in a machine learning research context.<n>We aim to provide a more rigorous framework for AI safety research, advancing the science of safety evaluations and clarifying the path towards measurable progress.
  arXiv  Detail & Related papers  (2024-07-31T17:59:24Z)
• A Survey of Third-Party Library Security Research in Application Software [3.280510821619164]
  With the widespread use of third-party libraries, associated security risks and potential vulnerabilities are increasingly apparent. Malicious attackers can exploit these vulnerabilities to infiltrate systems, execute unauthorized operations, or steal sensitive information. Research on third-party libraries in software becomes paramount to address this growing security challenge.
  arXiv  Detail & Related papers  (2024-04-27T16:35:02Z)
• Software supply chain: review of attacks, risk assessment strategies and security controls [0.13812010983144798]
  The software product is a source of cyber-attacks that target organizations by using their software supply chain as a distribution vector. We analyze the most common software supply chain attacks by providing the latest trend of analyzed attacks. This study introduces unique security controls to mitigate analyzed cyber-attacks and risks by linking them with real-life security incidence and attacks.
  arXiv  Detail & Related papers  (2023-05-23T15:25:39Z)
• Evaluating Model-free Reinforcement Learning toward Safety-critical Tasks [70.76757529955577]
  This paper revisits prior work in this scope from the perspective of state-wise safe RL. We propose Unrolling Safety Layer (USL), a joint method that combines safety optimization and safety projection. To facilitate further research in this area, we reproduce related algorithms in a unified pipeline and incorporate them into SafeRL-Kit.
  arXiv  Detail & Related papers  (2022-12-12T06:30:17Z)
• Dos and Don'ts of Machine Learning in Computer Security [74.1816306998445]
  Despite great potential, machine learning in security is prone to subtle pitfalls that undermine its performance. We identify common pitfalls in the design, implementation, and evaluation of learning-based security systems. We propose actionable recommendations to support researchers in avoiding or mitigating the pitfalls where possible.
  arXiv  Detail & Related papers  (2020-10-19T13:09:31Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.