NSF Frontier proposal funded

24 Aug 2022

Our Frontier proposal on software supply chain security has been funded by NSF!
Here are the details:

Collaborative Proposal: SaTC: Frontiers: Enabling a Secure and Trustworthy Software Supply Chain

The modern world relies on software in almost every human endeavor, and a typical software product includes 80% open source components. Attackers exploit accidentally-injected security vulnerabilities and, increasingly, aggressively implant vulnerabilities or malicious code directly into the software supply chain – open source software and its build and deployment pipelines. This Frontier project establishes the Secure Software Supply Chain Center (S3C2), a large-scale, multi-institution effort established to aid the software industry re-establish trust in the software supply chain through the development of scientific principles, synergistic tools, metrics, and models in the context of human behavior among software supply chain stakeholders. The Center contributes to a diverse workforce of professionals educated and trained in secure software supply chain methods, among others, through undergraduate research projects, summer camps, and the development of course modules for students and practitioners. S3C2’s vision is to facilitate rapid innovation with increased confidence in software supply chain security.

S3C2 focuses on interconnected research thrusts for two supply chain attack vectors. Thrust One focuses on developing tools and techniques to aid practitioners with the risk of upstream dependencies. It enhances the utility of the Software Bill of Materials (SBoM) by identifying exploitability of vulnerabilities and changes to attack surfaces and isolates risky code as a stop-gap before patching is possible. Thrust Two focuses on developing tools and techniques to aid practitioners with the risk of build processes. It enables strong guarantees for build integrity through analysis of a continuous integration/continuous deployment (CI/CD) configuration and techniques that help developers achieve reproducible builds.