Visible to the public Assessing Software Supply Chain Risk Using Public Data

TitleAssessing Software Supply Chain Risk Using Public Data
Publication TypeConference Paper
Year of Publication2017
AuthorsBenthall, S.
Conference Name2017 IEEE 28th Annual Software Technology Conference (STC)
KeywordsAlhazmi-Malaiya Logistic model, AML, commercial government organizations, cumulative vulnerability discovery plot, cybersecurity risk, Databases, Human Behavior, national vulnerability database, NVD, open source project, open version control data, OpenSSL, Predictive models, pubcrawl, public data, resilience, Resiliency, risk management, Robustness, safety-critical software, Scalability, secure networking library, security, security of data, sigmoid cumulative vulnerability discovery function, Software, software supply chain risk assessment, software vulnerability discovery, supply chain management, supply chain risk, supply chain security, Supply chains, temporary plateau feature, Tools, vulnerability discovery

The software supply chain is a source of cybersecurity risk for many commercial and government organizations. Public data may be used to inform automated tools for detecting software supply chain risk during continuous integration and deployment. We link data from the National Vulnerability Database (NVD) with open version control data for the open source project OpenSSL, a widely used secure networking library that made the news when a significant vulnerability, Heartbleed, was discovered in 2014. We apply the Alhazmi-Malaiya Logistic (AML) model for software vulnerability discovery to this case. This model predicts a sigmoid cumulative vulnerability discovery function over time. Some versions of OpenSSL do not conform to the predictions of the model because they contain a temporary plateau in the cumulative vulnerability discovery plot. This temporary plateau feature is an empirical signature of a security failure mode that may be useful in future studies of software supply chain risk.

Citation Keybenthall_assessing_2017