August 26, 2021
Cybersecurity professor works to close the door on hackers
Cybersecurity must be maintained from several angles. Hackers now are finding issues in software in order to pass along malicious code to computers. (Photo by Rawpixel)
Supply chain research seeks out the software openings oftentimes exploited
WEST LAFAYETTE, Ind. — A computer system’s cybersecurity can be jeopardized by its own software as much as the questionable decisions made by computer users.
A Purdue University professor is focused on halting those software attacks, which statistics indicate are on the rise.
Santiago Torres Arias, an assistant professor of electrical and computer engineering at Purdue, said a cumulative increase of 500% in the number of software supply chain compromises is giving hackers the weak link they need to attack a system.
Torres Arias said that in supply chain security, hackers will search to find that one program in a chain of software that is vulnerable and hack it.
“Supply chain security compromises are attacks where someone targets the left side of the equation and how a piece of software is produced,” Torres Arias said. “They’re not targeting the people using the system, but rather the producers, so that when people then use the software themselves, the system is compromised.”
The attack on software developer SolarWinds in 2020 is among the more well-known of those. In that case, hackers broke into the company’s system, adding code that went out to customers in software updates that created a backdoor to a number of systems.
Torres Arias has a focus on computer engineering in software supply chain, bolstered with additional research in password storage mechanisms and software update systems, working to ensure that the way people create software and hardware does not compromise the security and privacy of its eventual users.
He is a member of Purdue’s Center for Education and Research in Information Assurance and Security (CERIAS) and core developer or outright creator of many tools dedicated to software supply chain security under the Linux Foundation.
Cybersecurity is a critical topic under Purdue’s Next Moves, the ongoing strategic initiatives that will advance the university’s competitive advantage. Cybersecurity research is a key component of Purdue’s National Security and Technology enterprise. Purdue’s cybersecurity research and educational initiatives are centered under CERIAS and its 135 affiliated faculty members from 18 academic departments.
With system compromises on the rise, Torres Arias expects changes in coming years that will tighten up the way software is produced.
“I expect that in 5-10 years we’ll start seeing more transparency and more expectations from market pressure, pushing the software producers to tighten their processes,” Torres Arias said, comparing it to consumers using tamper-proof seals on medication.
“The same thing would happen with software,” he said. “If we know the software is not produced securely, we’re not going to use it.”
Torres Arias predicts the intervention of government regulatory agencies to establish best practices for software security productions. He also sees expanded research to identify looming threats in the supply chain to better prevent future compromises.
About Purdue University
Purdue University is a top public research institution developing practical solutions to today’s toughest challenges. Ranked the No. 5 Most Innovative University in the United States by U.S. News & World Report, Purdue delivers world-changing research and out-of-this-world discovery. Committed to hands-on and online, real-world learning, Purdue offers a transformative education to all. Committed to affordability and accessibility, Purdue has frozen tuition and most fees at 2012-13 levels, enabling more students than ever to graduate debt-free. See how Purdue never stops in the persistent pursuit of the next giant leap at https://purdue.edu/.
Writer, Media contact: Brian Huchel, 765-494-2084, bhuchel@purdue.edu
Source: Santiago Torres Arias, santiagotorres@purdue.edu
Note to journalists: Journalists visiting campus should follow visitor health guidelines.