CHAINS — Consistent hardening and analysis of software supply chains
The software supply chain is defined as all software on which an organization relies to operate its activities. This spans a wide variety of applications, from payroll, travel, acquisition, to system and network administration tools, access control and databases.
The software supply chain has become a severe risk for companies in all sectors, as witnessed by several headlines in the last year. In July 2021, most Coop stores were closed in Sweden because of similar attack: the network management tool developed by the IT company Kaseya, installed in all Coop stores, was infected by a ransomware.
Hardening the software supply chain has become a problem of utmost importance. In May 2021, the US White House signed an executive order explicitly mentioning the software supply chain as a key risk for society. The societal strategic needs for secure supply chains is also part of Sweden’s "national cybersecurity strategy" and in the EU’s "New EU Cybersecurity Strategy".
The scope, importance and scale of software supply chain incidents greatly vary. Yet, their root causes are similar. The companies that supply a piece of software to customers (such as Solarwinds) share methods, tools and practices that are at the core of the risks highlighted above. These companies have large teams of developers who collaborate to build a complex piece of software. They all do software reuse at large because it is a known best practice with respect to reliability and time-to-market. As a matter of fact, developers deploy many features they need (such as encryption, monitoring, data management, networking, etc.) by incorporating existing software libraries into their software applications. While software reuse is a key enabler for timely and powerful software applications, some also consider it as Achille’s heel. On the one hand, malicious actors can infect a target application from within a reused component. On the other hand, entire software systems may crash because of a bug somewhere deep in the reuse chain. The tools and libraries that software companies reuse form the software supply chain for software development. This software supply chain is essential for advanced software development and it is also the root of many risks that all companies face when managing software applications. In CHAINS, we focus on hardening this supply chain of software libraries and tools, to enhance the reliability and security of applications that are distributed across the industry.