Chaire Cyber CNI

Chaire Cyber CNI – Cybersecurity for Critical Networked Infrastructures

Thesis defense by Luis SOEIRO

By Dylan Massieux Actualités / Cyber CNI / PhD Defense,,,,,,,,,,

The Cyber CNI Chair congratulates Luis SOEIRO, doctoral student of the chair at Télécom Paris, on the defense of his thesis on December 1, 2025. His research focuses on Software Supply Chain (SSC) security, a key issue for organizations.

His thesis is entitled:
“Assessing the Security of Software Supply Chains: Software Bill of Materials, Threat Propagation, and Logical Attack Graphs”
It presents several useful contributions to understanding and strengthening the security of software dependencies.

A unique SBOM dataset

First, Luis SOEIRO built the largest SBOM (Software Bill of Materials) dataset available. It includes more than 78,000 unique SBOM files from 94 million public repositories. Thanks to this dataset, it is now possible to study the actual use of SBOMs in the open source world.

Next, he evaluated eight tools dedicated to SBOM quality. This study compares their results to independent metrics. It shows that the tools diverge significantly. It also reveals that many SBOMs remain difficult to use in practice.

A method for analyzing threat propagation

The thesis also proposes a new method for studying threat propagation in the software supply chain. This approach makes it easier to identify the elements that propagate an attack or suffer its effects.

In addition, this method highlights the limitations of traditional Software Composition Analysis (SCA) tools. It paves the way for new strategies to anticipate and reduce risks.

An extension of MulVal for supply chain attack graphs

MulVal is an open source tool used to generate logical attack graphs. However, it did not allow for the correct representation of attacks targeting software chains, such as the XZ attack or the 3CX double attack.

To address this need, the thesis proposes a comprehensive extension of MulVal. It adds new predicates dedicated to Software Supply Chain interactions. In addition, it integrates these elements into the existing logic engine. It also proposes 20 attack scenarios and a comprehensive testing framework.

An international jury

The jury was composed of :

  • Nicolas Belloir (Rapporteur)
  • Etienne Borde (Rapporteur)
  • Christelle Urtado (Examiner)
  • Joaquin Garcia-Alfaro (Examiner)
  • Stefano Zacchiroli (Director)
  • Thomas Robert (Co-director)
  • Ivan Gazeau (Guest).

The Cyber CNI Chair warmly congratulates Luis SOEIRO. His work provides new research tools as well as practical resources to better protect software chains and improve the resilience of digital systems.

Dylan Massieux
Latest posts by Dylan Massieux (see all)

Related Posts

Soutenance de thèse de Luis SOEIRO
December 3, 2025
Rencontre avec une délégation canadienne lors de l’European Cyber Week
December 2, 2025
Meeting with a Canadian delegation during European Cyber Week
December 2, 2025

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to receive our updates directly via mail.

Get Free Email Updates!

Follow Us

Get Free Email Updates!

Copyright All Right Reserved 2020
Proudly powered by WordPress | Theme: Lili Blog by ThemeMiles.