POSE: Phase I: Scoping An Open-Source Ecosystem Around Proactive Software Supply Chain Monitoring
Purdue University, West Lafayette IN
Investigators
Abstract
This project is funded by Pathways to Enable Open-Source Ecosystems (POSE) which seeks to harness the power of open-source development for the creation of new technology solutions to problems of national and societal importance. Industry, government, and academia rely on a supply chain of open-source software components. Recently, hackers have identified that, in order to hack their targets, they can "poison the water stream" to effectively affect all consumers of software at once. Problems with these sorts of attacks have caused site- and Internet-wide disruption at an estimated cost of billions of dollars. From major attacks like XCodeGhost to Solarwinds, software supply chain attacks have seen increasing trends in damage, sophistication, and frequency. Existing approaches to open-source development face challenges in achieving widespread adoption, mostly due to the complicated nature of securing the open source supply chain --- a highly interconnected network of actors with different socio-technical motivations. This project tackles the challenge of developing and sustaining a community to provide usable security. The project's novelties are in recognizing and building a broader solution that can secure not only cloud systems, but emerging applications such as as Artificial Intelligence and Internet of Things (IoT) as well as mission critical applications such as the powergrid. If successful, the project's impacts will protect millions of software users. This project aims to develop an open source ecosystem that sustainably grows to include further users and achieves meaningful protection against software supply chain attacks, protecting against as many vectors as possible. This project is divided in two tasks. First, it engages with stakeholders and end-users of emerging applications. Second, it builds a sustainability plan to attract and maintain new members in the community. This ecosystem has the potential to transform the robustness and security of software built in the United States and worldwide. This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.
View original record on NSF Award Search →