Securing the Software Supply Chain
Abstract
The Securing the Software Supply Chain program will create software development technologies that provide visibility into the software components incorporated and the build chain employed in the creation of complex programs that reuse open and other diverse sources. Software supply chain attacks (e.g., SolarWinds) are growing in sophistication and severity. These attacks are enabled by the long complex chains of software reuse which hide dependencies and increase the difficulty of finding and remediating vulnerabilities. The growing dependence on open-source software, where contributor motives may also be obscure, further exacerbates this problem. In addition, lack of knowledge regarding the build chain by which source code is compiled, linked, and loaded results in an executable program about which very little is known, and so the problem of opacity is reinforced at multiple stages in the software development process. The program will develop technologies for automatically tracking the software bill of materials (SBOM), including for software with uncertain provenance, as an important step towards mitigating software supply chain risks.
Document Details
- Document Type
- Accomplishment
- Publication Date
- Oct 01, 2024
- Source ID
- 973a3c20e7814647ac642bfa9d4673fa