Software supply chain security risks are here: Are we equipped to act accordingly?
Two Purdue University researchers are taking aim at the growing surge of supply chain attacks, particularly those directed at third-party software suppliers and vendors connected to the actual target.
Sabine Brunswicker, a professor of digital innovation and communication, is collaborating with Santiago Torres-Arias, an assistant professor of electrical and computer engineering, to better understand the way the software supply chains are structured to develop solutions for combating cybersecurity attacks that emerge from the use of open-source software.
To leverage their Purdue efforts, Brunswicker and Torres-Arias received a coveted donation from Google totaling $200,000 to advance their research in this space. The two also are affiliated with the Center for Education and Research in Information Assurance and Security (CERIAS) at Purdue.
"It is undeniable that software supply chain security requires immediate and bold action to protect software—and hardware—users everywhere," says Brunswicker, who has joint appointments in Purdue Polytechnic Institute and the College of Liberal Arts. "As opposed to the clear visibility of compromises after the fact, however, there is very little existing work in understanding and modeling the way the software supply chains themselves are structured.
"Today, we lack the proper models and tools to measure and predict the risk for software vulnerabilities that emerge from reusing software technologies and development environments across multiple technical and institutional boundaries."
A supply chain attack is the breach and compromise of goods, services or technology supplied by a vendor to a customer, which introduces a risk to the customer base. While the risk to an organization can vary, the prevalence of such attacks has prompted the development of processes to improve the security posture of software companies, Brunswicker and Torres-Arias say.
With the rise in the number of digital supply chain attacks and the havoc they can wreak on major industry sectors and the overall economy, the work by the Purdue duo is especially timely:
- According to technological research and consulting giant Gartner Inc., 45% of global organizations are projected to experience a software supply chain attack by 2025, a threefold jump from 2021.
- In a major cybersecurity wakeup call, attackers in December 2020 added malware to signed versions of SolarWinds' supplier software, which was used to infiltrate 18,000 government and private organizations.
Because there are open-source components throughout the software lifecycle, Brunswicker and Torres-Arias explain, organizations need to first secure the open-source software they use. Enterprises and agencies, for example, use an average of more than 40,000 open-source software packages downloaded by developers, and each of those can bring in another 77 dependencies. One component relies on the other to work properly.
"Major software supply chain attacks such as SolarWinds are central to the conversation about cybersecurity," says Torres-Arias, whose expertise is in secure systems, applied cryptography and software supply chain security. "The hack of SolarWinds' software more than two years ago pushed the threat of software supply chain attacks to the front of security conversations, but is anything being done?"
Building on the Google research grant, their efforts are now focused on these key factors:
- Design a graph-based model for data-driven prediction of risk and vulnerabilities that represents the overall software supply chain from multiple interdependent relationships among products, packages, developers, users, organizations and jurisdiction.
- Develop tools to mine software supply chain data in real time for developing and using models that quantify and predict software supply chain risks.
- Build a publicly accessible platform that integrates tools that can help inform and enable early action to mitigate risks and prevent future software supply chain attacks.
Brunswicker emphasizes a holistic approach is needed to address this challenge, noting software supply chain structures have received very little exploration by all of industry, government and academia. This is made even more difficult because software supply chains are vast networks of highly interconnected components that span different organizations, or open-source groups, with broad and complex jurisdictions, motivations and practices.
"They often cross software domains—from Internet of Things to the cloud, or from medical to high-performance computers. So, analyzing them is an enormous undertaking," says Brunswicker, who is founder and director of the Research Center for Open Digital Innovation at Purdue. "Their impact also is subjected to geopolitical motivations and, much like regular supply chains, they require cooperation between otherwise geopolitical rivals."
Brunswicker and Torres-Arias are actively seeking doctoral, postdoctoral and even undergraduate students to join their team for this effort. The interdisciplinary project integrates knowledge and theories for software engineering, cybersecurity, computational and network science, artificial intelligence/machine language and social sciences.
A computational social scientist, Brunswicker is focused on bridging social and behavioral science and computing when studying open and digital forms of innovation. In her work, she designs and examines systems and technologies that support digital innovation with respect to their technological and behavioral impact.
She and her team use computational techniques and AI/ML to model and predict such impact. Her emphasis is in areas such as open-source software communities, data science contests, crowdsourcing, computational models of individual and collective intelligence, and human-AI teaming models for unmanned aerial vehicles.
Brunswicker also manages IronHacks, a virtual hacking community centered on a Purdue-developed competition platform that explores a variety of data science models using statistics from past human actions to predict future human behavior.
Provided by Purdue University