Software Supply Chain Risk: Characterization, Measurement & Attenuation (ASE 2024 - Doctoral Symposium)

Sun 27 October - Fri 1 November 2024 Sacramento, California, United States

Track

ASE 2024 Doctoral Symposium

This program is tentative and subject to change.

Time Zone

The program is currently displayed in (GMT-07:00) Pacific Time (US & Canada).

Use conference time zone: (GMT-07:00) Pacific Time (US & Canada)Select other time zone

The GMT offsets shown reflect the offsets at the moment of the conference.

Time Band

By setting a time band, the program will dim events that are outside this time window. This is useful for (virtual) conferences with a continuous program (with repeated sessions).
The time band will also limit the events that are included in the personal iCalendar subscription service.

Display full programSpecify a time band

Save

When

Mon 28 Oct 2024 11:00 - 11:30 at Gardenia - Student Presentations I

Abstract

With the accelerating adoption of open source software, and an ever-growing body of case studies of security vulnerabilities being introduced by said open source software (Log4J arbitrary code execution, OpenSSH backdoor by way of XZ-utils, and the Polyfill CDN take over), the need for supply chain observability has become increasingly urgent. This need has been acknowledged by both industry and government, with calls to enforce the adoption of Software Bills of Materials (SBOMs).

Current software security metrology efforts focus on individual packages within an ecosystem, with very little work exploring how security risk propagates through dependency networks. This research proposal sets out a number of research objectives and proposed approaches that when combined look to develop metrics that better align with the needs of software engineering practitioners, and further the understanding of the role of dependency networks in the propagation of risk within open source software.