The modern world relies on digital innovation in almost every human endeavor including critical infrastructure. Digital innovation has accelerated substantially as software is increasingly built on top of many layers of reusable abstractions, including libraries, frameworks, cloud infrastructure, artificial intelligence (AI) modules, and others, giving rise to software supply chains where software projects depend on and build upon other software projects. Software developers did not anticipate how the software supply chain would become a deliberate attack vector. The software industry has moved from passive adversaries finding and exploiting vulnerabilities contributed by honest, well-intentioned developers to a new generation of software supply chain attacks where attackers aggressively implant vulnerabilities directly into infrastructure software (e.g., libraries, tools) and infect build and deployment pipelines. In 2021, Sonatype reported a 650% year-over-year increase in detected supply chain attacks (on top of a 430% increase in 2020) targeted towards upstream open-source repositories.
Focused research is needed to develop fundamental principles, techniques, and tools to close the attack vectors in the software supply chain. Plummeting trust in the software supply chain may decelerate digital innovation if the software industry feels the need to divert resources to reduce risks on their own: For example, some organizations report the creation of private mirrored versions of open source products that have been internally validated, a costly private undertaking with little benefit to the larger community. Plummeting trust may also fragment the software ecosystem.
The Secure Software Supply Chain Center (S3C2), a large-scale, multi-institution research enterprise with the following vision:
The software industry can rapidly innovate with confidence in the security of its software supply chain.
We will achieve this vision through the following three goals.
- Research Goal: To aid the software industry to overcome the hard technical challenges in software supply chain security through the development of synergistic tools, metrics, data formats, and methods in the context of the human behavior of supply chain stakeholders.
- Workforce Goal: To aid the software industry to create a diverse workforce of technical leaders and practitioners educated and trained in secure software supply chain methods through research, hands-on education, and outreach initiatives with academic, government and industry partners.
- Community Goal: To aid the software industry to foster community-wide adoption of evidence- based secure practices through feedback cycles with industry and government, cross-organizational communication, technology transfer, and hands-on education
S3C2 is funded by a National Science Foundation (NSF) Secure and Trustworthy Cyberspace (SaTC) Frontiers award titled “Collaborative: SaTC: Frontiers: Enabling a Secure and Trustworthy Software Supply Chain” (CNS-2207008, CNS-2206859, CNS-2206865, and CNS-2206921).