Assessing the Threat Level of Software Supply Chains with the Log Model

Luis Soeiro; Thomas Robert; Stefano Zacchiroli

doi:10.1109/BigData59044.2023.10386091

Assessing the Threat Level of Software Supply Chains with the Log Model

Luis Soeiro, Thomas Robert, Stefano Zacchiroli

Institut Polytechnique de Paris

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

The use of free and open source software (FOSS) components in all software systems is estimated to be above 90%. With such high usage and because of the heterogeneity of FOSS tools, repositories, developers and ecosystem, the level of complexity of managing software development has also increased. This has amplified both the attack surface for malicious actors and the difficulty of making sure that the software products are free from threats. The rise of security incidents involving high profile attacks is evidence that there is still much to be done to safeguard software products and the FOSS supply chain.Software Composition Analysis (SCA) tools and the study of attack trees help with improving security. However, they still lack the ability to comprehensively address how interactions within the software supply chain may impact security.This work presents a novel approach of assessing threat levels in FOSS supply chains with the log model. This model provides information capture and threat propagation analysis that not only account for security risks that may be caused by attacks and the usage of vulnerable software, but also how they interact with the other elements to affect the threat level for any element in the model.

Original language	English
Title of host publication	Proceedings - 2023 IEEE International Conference on Big Data, BigData 2023
Editors	Jingrui He, Themis Palpanas, Xiaohua Hu, Alfredo Cuzzocrea, Dejing Dou, Dominik Slezak, Wei Wang, Aleksandra Gruca, Jerry Chun-Wei Lin, Rakesh Agrawal
Publisher	Institute of Electrical and Electronics Engineers Inc.
Pages	3079-3088
Number of pages	10
ISBN (Electronic)	9798350324457
DOIs	https://doi.org/10.1109/BigData59044.2023.10386091
Publication status	Published - 1 Jan 2023
Event	2023 IEEE International Conference on Big Data, BigData 2023 - Sorrento, Italy Duration: 15 Dec 2023 → 18 Dec 2023

Publication series

Name	Proceedings - 2023 IEEE International Conference on Big Data, BigData 2023

Conference

Conference	2023 IEEE International Conference on Big Data, BigData 2023
Country/Territory	Italy
City	Sorrento
Period	15/12/23 → 18/12/23

Keywords

formal model
open source
software build
software supply chain
threat propagation

Access to Document

10.1109/BigData59044.2023.10386091

Cite this

Soeiro, L., Robert, T., & Zacchiroli, S. (2023). Assessing the Threat Level of Software Supply Chains with the Log Model. In J. He, T. Palpanas, X. Hu, A. Cuzzocrea, D. Dou, D. Slezak, W. Wang, A. Gruca, J. C.-W. Lin, & R. Agrawal (Eds.), Proceedings - 2023 IEEE International Conference on Big Data, BigData 2023 (pp. 3079-3088). (Proceedings - 2023 IEEE International Conference on Big Data, BigData 2023). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/BigData59044.2023.10386091

Soeiro, Luis ; Robert, Thomas ; Zacchiroli, Stefano. / Assessing the Threat Level of Software Supply Chains with the Log Model. Proceedings - 2023 IEEE International Conference on Big Data, BigData 2023. editor / Jingrui He ; Themis Palpanas ; Xiaohua Hu ; Alfredo Cuzzocrea ; Dejing Dou ; Dominik Slezak ; Wei Wang ; Aleksandra Gruca ; Jerry Chun-Wei Lin ; Rakesh Agrawal. Institute of Electrical and Electronics Engineers Inc., 2023. pp. 3079-3088 (Proceedings - 2023 IEEE International Conference on Big Data, BigData 2023).

@inproceedings{d4aae1b0de9b4e9699d9c3b9bb0328e6,

title = "Assessing the Threat Level of Software Supply Chains with the Log Model",

abstract = "The use of free and open source software (FOSS) components in all software systems is estimated to be above 90\%. With such high usage and because of the heterogeneity of FOSS tools, repositories, developers and ecosystem, the level of complexity of managing software development has also increased. This has amplified both the attack surface for malicious actors and the difficulty of making sure that the software products are free from threats. The rise of security incidents involving high profile attacks is evidence that there is still much to be done to safeguard software products and the FOSS supply chain.Software Composition Analysis (SCA) tools and the study of attack trees help with improving security. However, they still lack the ability to comprehensively address how interactions within the software supply chain may impact security.This work presents a novel approach of assessing threat levels in FOSS supply chains with the log model. This model provides information capture and threat propagation analysis that not only account for security risks that may be caused by attacks and the usage of vulnerable software, but also how they interact with the other elements to affect the threat level for any element in the model.",

keywords = "formal model, open source, software build, software supply chain, threat propagation",

author = "Luis Soeiro and Thomas Robert and Stefano Zacchiroli",

note = "Publisher Copyright: {\textcopyright} 2023 IEEE.; 2023 IEEE International Conference on Big Data, BigData 2023 ; Conference date: 15-12-2023 Through 18-12-2023",

year = "2023",

month = jan,

day = "1",

doi = "10.1109/BigData59044.2023.10386091",

language = "English",

series = "Proceedings - 2023 IEEE International Conference on Big Data, BigData 2023",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

pages = "3079--3088",

editor = "Jingrui He and Themis Palpanas and Xiaohua Hu and Alfredo Cuzzocrea and Dejing Dou and Dominik Slezak and Wei Wang and Aleksandra Gruca and Lin, \{Jerry Chun-Wei\} and Rakesh Agrawal",

booktitle = "Proceedings - 2023 IEEE International Conference on Big Data, BigData 2023",

}

Soeiro, L, Robert, T & Zacchiroli, S 2023, Assessing the Threat Level of Software Supply Chains with the Log Model. in J He, T Palpanas, X Hu, A Cuzzocrea, D Dou, D Slezak, W Wang, A Gruca, JC-W Lin & R Agrawal (eds), Proceedings - 2023 IEEE International Conference on Big Data, BigData 2023. Proceedings - 2023 IEEE International Conference on Big Data, BigData 2023, Institute of Electrical and Electronics Engineers Inc., pp. 3079-3088, 2023 IEEE International Conference on Big Data, BigData 2023, Sorrento, Italy, 15/12/23. https://doi.org/10.1109/BigData59044.2023.10386091

Assessing the Threat Level of Software Supply Chains with the Log Model. / Soeiro, Luis; Robert, Thomas; Zacchiroli, Stefano.
Proceedings - 2023 IEEE International Conference on Big Data, BigData 2023. ed. / Jingrui He; Themis Palpanas; Xiaohua Hu; Alfredo Cuzzocrea; Dejing Dou; Dominik Slezak; Wei Wang; Aleksandra Gruca; Jerry Chun-Wei Lin; Rakesh Agrawal. Institute of Electrical and Electronics Engineers Inc., 2023. p. 3079-3088 (Proceedings - 2023 IEEE International Conference on Big Data, BigData 2023).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Assessing the Threat Level of Software Supply Chains with the Log Model

AU - Soeiro, Luis

AU - Robert, Thomas

AU - Zacchiroli, Stefano

PY - 2023/1/1

Y1 - 2023/1/1

N2 - The use of free and open source software (FOSS) components in all software systems is estimated to be above 90%. With such high usage and because of the heterogeneity of FOSS tools, repositories, developers and ecosystem, the level of complexity of managing software development has also increased. This has amplified both the attack surface for malicious actors and the difficulty of making sure that the software products are free from threats. The rise of security incidents involving high profile attacks is evidence that there is still much to be done to safeguard software products and the FOSS supply chain.Software Composition Analysis (SCA) tools and the study of attack trees help with improving security. However, they still lack the ability to comprehensively address how interactions within the software supply chain may impact security.This work presents a novel approach of assessing threat levels in FOSS supply chains with the log model. This model provides information capture and threat propagation analysis that not only account for security risks that may be caused by attacks and the usage of vulnerable software, but also how they interact with the other elements to affect the threat level for any element in the model.

AB - The use of free and open source software (FOSS) components in all software systems is estimated to be above 90%. With such high usage and because of the heterogeneity of FOSS tools, repositories, developers and ecosystem, the level of complexity of managing software development has also increased. This has amplified both the attack surface for malicious actors and the difficulty of making sure that the software products are free from threats. The rise of security incidents involving high profile attacks is evidence that there is still much to be done to safeguard software products and the FOSS supply chain.Software Composition Analysis (SCA) tools and the study of attack trees help with improving security. However, they still lack the ability to comprehensively address how interactions within the software supply chain may impact security.This work presents a novel approach of assessing threat levels in FOSS supply chains with the log model. This model provides information capture and threat propagation analysis that not only account for security risks that may be caused by attacks and the usage of vulnerable software, but also how they interact with the other elements to affect the threat level for any element in the model.

KW - formal model

KW - open source

KW - software build

KW - software supply chain

KW - threat propagation

U2 - 10.1109/BigData59044.2023.10386091

DO - 10.1109/BigData59044.2023.10386091

M3 - Conference contribution

AN - SCOPUS:85184976317

T3 - Proceedings - 2023 IEEE International Conference on Big Data, BigData 2023

SP - 3079

EP - 3088

BT - Proceedings - 2023 IEEE International Conference on Big Data, BigData 2023

A2 - He, Jingrui

A2 - Palpanas, Themis

A2 - Hu, Xiaohua

A2 - Cuzzocrea, Alfredo

A2 - Dou, Dejing

A2 - Slezak, Dominik

A2 - Wang, Wei

A2 - Gruca, Aleksandra

A2 - Lin, Jerry Chun-Wei

A2 - Agrawal, Rakesh

PB - Institute of Electrical and Electronics Engineers Inc.

T2 - 2023 IEEE International Conference on Big Data, BigData 2023

Y2 - 15 December 2023 through 18 December 2023

ER -

Soeiro L, Robert T, Zacchiroli S. Assessing the Threat Level of Software Supply Chains with the Log Model. In He J, Palpanas T, Hu X, Cuzzocrea A, Dou D, Slezak D, Wang W, Gruca A, Lin JCW, Agrawal R, editors, Proceedings - 2023 IEEE International Conference on Big Data, BigData 2023. Institute of Electrical and Electronics Engineers Inc. 2023. p. 3079-3088. (Proceedings - 2023 IEEE International Conference on Big Data, BigData 2023). doi: 10.1109/BigData59044.2023.10386091

Assessing the Threat Level of Software Supply Chains with the Log Model

Abstract

Publication series

Conference

Keywords

Access to Document

Fingerprint

Cite this