Luís Soeiro presented his research on threat propagation in software supply chains
On December 17, 2023, our PhD student Luis Fernando de Oliveira Soeiro presented his research paper “Assessing the Threat Level of Software Supply Chains with the Log Model” at the 6th Annual Workshop on Cyber Threat Intelligence and Hunting. His research is on a new formal model to help estimate the possible threat levels at different parts of the software supply chain for software artifacts. The workshop was co-located with the 2023 IEEE International Conference on Big Data, at Hilton Sorrento Palace in Sorrento, Italy. The full paper was published on IEEEXplore and can also be downloaded from Hal Open Science.
Abstract of the paper
The use of free and open source software (FOSS) components in all software systems is estimated to be above 90%. With such high usage and because of the heterogeneity of FOSS tools, repositories, developers and ecosystem, the level of complexity of managing software development has also increased. This has amplified both the attack surface for malicious actors and the difficulty of making sure that the software products are free from threats. The rise of security incidents involving high profile attacks is evidence that there is still much to be done to safeguard software products and the FOSS supply chain. Software Composition Analysis (SCA) tools and the study of attack trees help with improving security. However, they still lack the ability to comprehensively address how interactions within the software supply chain may impact security.This work presents a novel approach of assessing threat levels in FOSS supply chains with the log model. This model provides information capture and threat propagation analysis that not only account for security risks that may be caused by attacks and the usage of vulnerable software, but also how they interact with the other elements to affect the threat level for any element in the model.
About CyberHunt 2023
The workshop on Cyber Threat Intelligence and Hunting provides a forum where experts from academia, industry, and government present research that advances the domain of CTI and other domains supported by the use of CTI. The workshop will be held in conjunction with IEEE Big Data 2023 in Sorrento, Italy, during December 15-18, 2023.