demonstration

Risk Explorer for Software Supply Chains: Understanding the Attack Surface of Open-Source based Software Development

Authors:

Serena Elisa PontaAuthors Info & Claims

SCORED'22: Proceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses

Pages 35 - 36

https://doi.org/10.1145/3560835.3564546

Published: 08 November 2022 Publication History

Get Access

Abstract

Supply chain attacks on open-source projects aim at injecting and spreading malicious code such that it is executed by direct and indirect downstream users. Recent work systematized the knowledge about such attacks and proposed a taxonomy in the form of an attack tree. We propose a visualization tool calledRisk Explorer for Software Supply Chains, which allows inspecting the taxonomy of attack vectors, their descriptions, references to real-world incidents and other literature, as well as information about associated safeguards. Being open-source itself, the community can easily reference new attacks, accommodate for entirely new attack vectors or reflect the development of new safeguards.

Supplementary Material

MP4 File (SCORED-scor006d.mp4)

Presentation video of the work "Risk Explorer for Software Supply Chains: Understanding the Attack Surface of Open-Source based Software Development". The video introduces the open-source tool "Risk Explorer for Software Supply Chains" which allows users to interactively explore the general taxonomy of open-source software supply chain attacks, their description, references, and associated safeguards. The tool can be used for training, to scope penetration tests and red-team activities, and can support threat modeling activities to protect the software supply chain. Being open-source itself, the community can easily reference new attacks, discuss entirely new attack vectors or reflect the development of new safeguards. This makes it possible to keep the taxonomy up-to-date and relevant, and also to have a central dataset of references about open-source software supply chain attacks.

Download
96.68 MB

References

[1]

Ana Figueiras. 2015. Towards the Understanding of Interaction in Information Visualization. In 2015 19th International Conference on Information Visualisation. 140--147. https://doi.org/10.1109/iV.2015.34

Digital Library

Google Scholar

[2]

Piergiorgio Ladisa, Henrik Plate, Matias Martinez, and Olivier Barais. forthcoming 2023. SoK: Taxonomy of Attacks on Open-Source Software Supply Chains. IEEE Symposium on Security and Privacy (SP) ( forthcoming 2023). io

Google Scholar

Cited By

View all

Sacchetti TBognar MDe Meulemeester JGierlichs BPiessens FBezsmertnyi VMolteni MCristalli SGringiani AThomas OAntonioli D(2024)AttackDefense Framework (ADF): Enhancing IoT Devices and Lifecycles Threat ModelingACM Transactions on Embedded Computing Systems10.1145/3698396Online publication date: 8-Oct-2024
https://doi.org/10.1145/3698396
Rebatchi HBissyandé TMoha N(2024)Dependabot and security pull requests: large empirical studyEmpirical Software Engineering10.1007/s10664-024-10523-y29:5Online publication date: 30-Jul-2024
https://doi.org/10.1007/s10664-024-10523-y
Wei YZheng JZhong H(2024)A Systematic Method for Constructing ICT Supply Chain Security RequirementsEmerging Information Security and Applications10.1007/978-981-99-9614-8_4(58-76)Online publication date: 4-Jan-2024
https://doi.org/10.1007/978-981-99-9614-8_4
Show More Cited By

Index Terms

Risk Explorer for Software Supply Chains: Understanding the Attack Surface of Open-Source based Software Development
1. Security and privacy
  1. Software and application security
    1. Software security engineering

Recommendations

Towards the Detection of Malicious Java Packages
SCORED'22: Proceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses

Open-source software supply chain attacks aim at infecting downstream users by poisoning open-source packages. The common way of consuming such artifacts is through package repositories and the development of vetting strategies to detect such attacks is ...
GoSurf: Identifying Software Supply Chain Attack Vectors in Go
SCORED '24: Proceedings of the 2024 Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses

In Go, the widespread adoption of open-source software has led to a flourishing ecosystem of third-party dependencies, which are often integrated into critical systems. However, the reuse of dependencies introduces significant supply chain security risks,...
A survey on the use of blockchains to achieve supply chain security
Abstract
Supply chain networks are becoming more complex and vulnerable to various attacks. We must tackle these attacks properly to ensure the required supply chain security. In this paper, I have classified major supply chain security issues ...
Highlights
- Comparison of other blockchain related works and my work.
- Noteworthy supply ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

SCORED'22: Proceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses

November 2022

121 pages

ISBN:9781450398855

DOI:10.1145/3560835

Program Chairs:
Santiago Torres-Arias
Purdue University, USA
,
Marcela Melara
Intel Corporation, USA
,
Laurent Simon
Google Inc., USA

Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 08 November 2022

Check for updates

Author Tags

Qualifiers

Demonstration

Funding Sources

AssureMOSS
SPARTA

Conference

CCS '22

Sponsor:

SIGSAC

CCS '22: 2022 ACM SIGSAC Conference on Computer and Communications Security

November 7, 2022

CA, Los Angeles, USA

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

7
Total Citations
View Citations
247
Total Downloads

Downloads (Last 12 months)73
Downloads (Last 6 weeks)11

Reflects downloads up to 21 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Sacchetti TBognar MDe Meulemeester JGierlichs BPiessens FBezsmertnyi VMolteni MCristalli SGringiani AThomas OAntonioli D(2024)AttackDefense Framework (ADF): Enhancing IoT Devices and Lifecycles Threat ModelingACM Transactions on Embedded Computing Systems10.1145/3698396Online publication date: 8-Oct-2024
https://doi.org/10.1145/3698396
Rebatchi HBissyandé TMoha N(2024)Dependabot and security pull requests: large empirical studyEmpirical Software Engineering10.1007/s10664-024-10523-y29:5Online publication date: 30-Jul-2024
https://doi.org/10.1007/s10664-024-10523-y
Wei YZheng JZhong H(2024)A Systematic Method for Constructing ICT Supply Chain Security RequirementsEmerging Information Security and Applications10.1007/978-981-99-9614-8_4(58-76)Online publication date: 4-Jan-2024
https://doi.org/10.1007/978-981-99-9614-8_4
Ladisa PSahin MPonta SRosa MMartinez MBarais OTorres-Arias SMelara MSimon LVasilakis NMoriarty K(2023)The Hitchhiker's Guide to Malicious Third-Party DependenciesProceedings of the 2023 Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses10.1145/3605770.3625212(65-74)Online publication date: 30-Nov-2023
https://dl.acm.org/doi/10.1145/3605770.3625212
Ohm MStuke C(2023)SoK: Practical Detection of Software Supply Chain AttacksProceedings of the 18th International Conference on Availability, Reliability and Security10.1145/3600160.3600162(1-11)Online publication date: 29-Aug-2023
https://dl.acm.org/doi/10.1145/3600160.3600162
Ladisa PPonta SSabetta AMartinez MBarais O(2023)Journey to the Center of Software Supply Chain AttacksIEEE Security and Privacy10.1109/MSEC.2023.330206621:6(34-49)Online publication date: 21-Aug-2023
https://dl.acm.org/doi/10.1109/MSEC.2023.3302066
Jiang WSynovic NSethi RIndarapu AHyatt MSchorlemmer TThiruvathukal GDavis JTorres-Arias SMelara MSimon L(2022)An Empirical Study of Artifacts and Security Risks in the Pre-trained Model Supply ChainProceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses10.1145/3560835.3564547(105-114)Online publication date: 11-Nov-2022
https://dl.acm.org/doi/10.1145/3560835.3564547
Scalco SParamitha RVu DMassacci F(2022)On the feasibility of detecting injections in malicious npm packagesProceedings of the 17th International Conference on Availability, Reliability and Security10.1145/3538969.3543815(1-8)Online publication date: 23-Aug-2022
https://dl.acm.org/doi/10.1145/3538969.3543815

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Cited By

Index Terms

Recommendations

Towards the Detection of Malicious Java Packages

GoSurf: Identifying Software Supply Chain Attack Vectors in Go

A survey on the use of blockchains to achieve supply chain security