2207008

Collaborative Proposal: SATC: Frontiers: Enabling a Secure and Trustworthy Software Supply Chain - The modern world relies on software in almost every human endeavor, and a typical software product includes 80% open source components. Attackers find and exploit accidentally-injected security vulnerabilities and, increasingly, aggressively implant vulnerabilities or malicious code directly into the software supply chain -- the open source software and its build and deployment pipelines.

This Frontiers project establishes the Secure Software Supply Chain Center (S3C2), a large-scale, multi-institution effort designed to aid the software industry re-establish trust in the software supply chain through the development of scientific principles, synergistic tools, metrics, and models in the context of human behavior among software supply chain stakeholders.

The project's novelties include the contributions to a diverse workforce that is trained in secure software supply chain methods through research and outreach initiatives, including summer research experiences for undergraduates (REU), summer camps, and the development of course modules for undergraduates, graduate students, and practitioners.

The project's broader significance and importance are the ways in which S3C2 will facilitate rapid innovation with increased confidence in software supply chain security. S3C2 focuses on interconnected research thrusts for two supply chain attack vectors: (1) upstream dependencies and (2) the build process in the context of a continuous integration/continuous deployment (CI/CD) pipeline.

Thrust one focuses on developing tools and techniques to aid practitioners with the risk of upstream dependencies. It enhances the utility of the software bill of materials (SBOM) by identifying exploitability of vulnerabilities and changes to attack surfaces and isolates risky code as a stop-gap before patching is possible.

Thrust two focuses on developing tools and techniques to aid practitioners with the risk of build processes. It enables strong guarantees for build integrity through analysis of CI/CD configuration and techniques that help developers achieve reproducible builds.

This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

North Carolina State University

THE GOAL OF THIS FUNDING OPPORTUNITY, "SECURE AND TRUSTWORTHY CYBERSPACE FRONTIERS", IS IDENTIFIED IN THE LINK: HTTPS://WWW.NSF.GOV/PUBLICATIONS/PUB_SUMM.JSP?ODS_KEY=NSF21597

47.070 - Computer and Information Science and Engineering

Division of Computer and Network Systems (CNS) [NSF]

Raleigh, North Carolina 27695-7207 United States

Single Zip Code

Secure and Trustworthy Cyberspace Frontiers (21-597)

Amendment Since initial award the total obligations have increased 577% from $846,164 to $5,726,934.