Unraveling Challenges with Supply-Chain Levels for Software Artifacts (SLSA) for Securing the Software Supply Chain

arXiv - CS - Software Engineering Pub Date : 2024-09-08 DOI:arxiv-2409.05014

Mahzabin Tamanna, Sivana Hamer, Mindy Tran, Sascha Fahl, Yasemin Acar, Laurie Williams

{"title":"Unraveling Challenges with Supply-Chain Levels for Software Artifacts (SLSA) for Securing the Software Supply Chain","authors":"Mahzabin Tamanna, Sivana Hamer, Mindy Tran, Sascha Fahl, Yasemin Acar, Laurie Williams","doi":"arxiv-2409.05014","DOIUrl":null,"url":null,"abstract":"In 2023, Sonatype reported a 200\\% increase in software supply chain attacks,\nincluding major build infrastructure attacks. To secure the software supply\nchain, practitioners can follow security framework guidance like the\nSupply-chain Levels for Software Artifacts (SLSA). However, recent surveys and\nindustry summits have shown that despite growing interest, the adoption of SLSA\nis not widespread. To understand adoption challenges, \\textit{the goal of this\nstudy is to aid framework authors and practitioners in improving the adoption\nand development of Supply-Chain Levels for Software Artifacts (SLSA) through a\nqualitative study of SLSA-related issues on GitHub}. We analyzed 1,523\nSLSA-related issues extracted from 233 GitHub repositories. We conducted a\ntopic-guided thematic analysis, leveraging the Latent Dirichlet Allocation\n(LDA) unsupervised machine learning algorithm, to explore the challenges of\nadopting SLSA and the strategies for overcoming these challenges. We identified\nfour significant challenges and five suggested adoption strategies. The two\nmain challenges reported are complex implementation and unclear communication,\nhighlighting the difficulties in implementing and understanding the SLSA\nprocess across diverse ecosystems. The suggested strategies include\nstreamlining provenance generation processes, improving the SLSA verification\nprocess, and providing specific and detailed documentation. Our findings\nindicate that some strategies can help mitigate multiple challenges, and some\nchallenges need future research and tool enhancement.","PeriodicalId":501278,"journal":{"name":"arXiv - CS - Software Engineering","volume":"13 1","pages":""},"PeriodicalIF":0.0000,"publicationDate":"2024-09-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"arXiv - CS - Software Engineering","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/arxiv-2409.05014","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 0

Abstract

In 2023, Sonatype reported a 200\% increase in software supply chain attacks, including major build infrastructure attacks. To secure the software supply chain, practitioners can follow security framework guidance like the Supply-chain Levels for Software Artifacts (SLSA). However, recent surveys and industry summits have shown that despite growing interest, the adoption of SLSA is not widespread. To understand adoption challenges, \textit{the goal of this study is to aid framework authors and practitioners in improving the adoption and development of Supply-Chain Levels for Software Artifacts (SLSA) through a qualitative study of SLSA-related issues on GitHub}. We analyzed 1,523 SLSA-related issues extracted from 233 GitHub repositories. We conducted a topic-guided thematic analysis, leveraging the Latent Dirichlet Allocation (LDA) unsupervised machine learning algorithm, to explore the challenges of adopting SLSA and the strategies for overcoming these challenges. We identified four significant challenges and five suggested adoption strategies. The two main challenges reported are complex implementation and unclear communication, highlighting the difficulties in implementing and understanding the SLSA process across diverse ecosystems. The suggested strategies include streamlining provenance generation processes, improving the SLSA verification process, and providing specific and detailed documentation. Our findings indicate that some strategies can help mitigate multiple challenges, and some challenges need future research and tool enhancement.

查看原文本刊更多论文

破解软件工件供应链级别（SLSA）带来的挑战，确保软件供应链安全

Sonatype 报告称，2023 年，软件供应链攻击增加了 200%，其中包括主要的构建基础设施攻击。为了确保软件供应链的安全，从业人员可以遵循软件工件供应链级别（SLSA）等安全框架指南。然而，最近的调查和行业峰会表明，尽管人们对 SLSA 的兴趣日益浓厚，但其采用并不普遍。为了了解采用方面的挑战，本研究的目标是通过对 GitHub 上与软件工件供应链级别（SLSA）相关的问题进行定量研究，帮助框架作者和实践者改进软件工件供应链级别（SLSA）的采用和开发。我们分析了从 233 个 GitHub 存储库中提取的 1,523 个与 SLSA 相关的问题。我们利用 Latent Dirichlet Allocation（LDA）无监督机器学习算法进行了主题分析，以探索采用 SLSA 所面临的挑战以及克服这些挑战的策略。我们确定了四个重大挑战和五个建议采用的策略。报告中提到的两个领域的挑战是复杂的实施和不明确的沟通，这凸显了在不同生态系统中实施和理解 SLSA 过程的困难。建议采取的策略包括简化出处生成流程、改进 SLSA 验证流程以及提供具体详细的文档。我们的研究结果表明，有些策略有助于缓解多重挑战，有些挑战则需要未来的研究和工具改进。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

arXiv - CS - Software Engineering

自引率

0.00%

发文量