Purdue University researchers are taking on the surge in supply chain attacks, specifically the ones involving third-party software suppliers and vendors connected to the actual target. The work involves understanding how software supply chains are structured to develop solutions capable of taking on the attacks due to open-source software.
The Purdue research is especially timely. Gartner Inc predicts that 45% of global organizations will experience a software supply chain attack by 2025—a threefold jump over 2021. At the end of 2022, attackers added malware to signed versions of SolarWinds’ supplier software, which infiltrated 18,000 government and private organizations.
According to the research team, there is very little existing work to understand and model how the software supply chains are structured. The proper models and tools to measure and predict the risk for software vulnerabilities that emerge from reusing software technologies and development environments don’t exist.
Because there are open-source components throughout the software lifecycle, organizations must first secure the open-source software used. Enterprises and agencies use an average of more than 40,000 open-source software packages downloaded by developers. Each can bring in another 77 dependencies.
The team is focused on designing a graph-based model for data-driven prediction of risk and vulnerabilities that represents the overall software supply chain from multiple interdependent relationships among products, packages, developers, users, organizations, and jurisdictions. They plan on developing tools to mine software supply chain data in real-time using models that quantify and predict software supply chain risks. They will also build a publicly accessible platform that integrates tools that can help inform and enable early action to mitigate risks and prevent future software supply chain attacks.
Software supply chain structures have received very little exploration by industry, government, and academia. These structures often cross software domains, from the Internet of Things to the cloud, or from medical to high-performance computers. According to the researchers, their impact also is subjected to geopolitical motivations and, much like regular supply chains, they require cooperation between otherwise geopolitical rivals.