Protecting Your Digital Assets: Understanding Supply Chain Risks

Imagine your software ecosystem as a secure home. In your home, you have a safe responsible for protecting your valuable digital assets with locks, cameras, and alarms. But what if a clever intruder found a way to enter your vault without setting off any alarms? Instead of targeting the vault, they set their sights on your workshop, where you craft the locks and security systems that protect your vault. This stealthy intruder secretly swaps your reliable software-making tools with identical-looking ones, hiding vulnerabilities within them. These vulnerabilities grant unrestricted access to your vault without leaving any trace.

In this analogy, your house embodies your software ecosystem, the vault signifies the storage of sensitive digital data, and the crafty intruder symbolizes hackers. The security tools and systems represent the software and applications safeguarding your network. The SolarWinds cyberattack, attributed to a Russian-backed group, had widespread repercussions, infiltrating numerous organizations globally, notably impacting various sectors of the US federal government and leading to extensive data breaches. In this attack, hackers infiltrated the software responsible for securing your network, making it vulnerable without your knowledge.

You can imagine the SolarWinds attack as an intruder duplicating your house keys, allowing them to enter your home whenever they please. In this case, the hackers compromised a company's software update process, manipulating security tools, gaining unauthorized access to numerous software ecosystems, and stealing sensitive data.

Consider your workshop, where you create software security tools and applications. Your tools include components from various suppliers. Similarly, in the digital world, many applications and programs rely on various software components created by different companies, serving as the building blocks of your digital security. Just as you trust the security tools you craft, you rely on the software protecting your software ecosystem. However, the SolarWinds attack underscores a crucial point: if even one supplier's software is compromised, it can affect the entire structure. It's not just about trusting the software you use; it's also about having confidence in the suppliers who provide the foundational building blocks. In cybersecurity, this means ensuring the verification and security of software packages and their dependencies to fortify your network against attackers.

In essence, the SolarWinds attack serves as a wake-up call, highlighting the need to thoroughly assess and secure every aspect of the software supply chain to defend against sophisticated cyber threats. Just as you'd safeguard your vault with top-notch locks and security systems, ensuring the integrity of your digital security tools and their suppliers is essential to protect your valuable digital assets from ever-evolving cyber dangers.

Our research project GUAC-ALYTICS (Graph for Understanding Artifact Composition and Analytics), is designed to unveil concealed relationships among software packages and their dependencies, with a primary focus on assessing risks. Our project is developing an advanced algorithmic engine, aiming to empower software maintainers and industry professionals to predict potential risks in their software supply chains, even when they lack comprehensive information about downstream connections or have proprietary code. Using data from GUAC, dependency mapping, and vulnerability and risk data from MITRE, we aim to build algorithms using machine learning and network science techniques. These algorithms will simplify predicting supply chain dependency risks across various software ecosystems.

The motivation behind this work arises from the existing uncertainty about the creation and journey of software components through the supply chain. Initially, the focus is on representing the Debian ecosystem's supply chain using network analytics to understand the associated risks. The broader goal is to extend these insights to other supply chains.

The GUAC-ALYTICS project leverages advanced data science and time series modeling to enhance the understanding of software supply chain threats and risks. By creating link prediction models, our project aspires to develop a risk prediction model that serves as an early warning system. It can help identify software packages more susceptible to potential attacks, ultimately enhancing software supply chain security.

The primary objective of this project is to enhance support for software by developing improved models and metrics. The aim is to fill the existing gaps in current metadata, ensuring that practitioners have the insights they need to make informed decisions and secure their software supply chains effectively. Beyond its immediate benefits, this work holds long-term promise. It aids practitioners in making well-informed decisions regarding supply chain risk management. It offers valuable insights into projects like the Linux Foundation's OpenSSF Securing Critical Projects initiative and the Alpha Omega project, guiding the allocation of resources to strengthen the entire software ecosystem.

Meet the Team

The Principal Investigators (PIs) for the project are Dr. Sabine Brunswicker and Dr. Santiago Torres Arias. A team of students is actively contributing to the project, collectively contributing to the intellectual merit through their combined efforts.