Mission: S3C2 is a leader in software supply chain security and an essential community catalyst for secure development methods, tools, and metrics that are adopted by practitioners and that re-establish trust in the software supply chain; and educates a workforce of technical leaders and practitioners.
The modern world relies on digital innovation, including software, in almost every human endeavor including critical infrastructure. Software is increasingly built on top of many layers of reusable abstractions, including libraries, frameworks, cloud infrastructure, artificial intelligence (AI) modules, and others, giving rise to software supply chains where software projects depend on and build upon other software projects.
Software developers did not anticipate how the software supply chain would become a deliberate attack vector. The software industry has moved from passive adversaries finding and exploiting vulnerabilities contributed by honest, well-intentioned developers to a new generation of software supply chain attacks where attackers aggressively implant vulnerabilities directly into infrastructure software (e.g., libraries, tools) and infect build and deployment pipelines. In 2024, Sonatype reported a 156% increase in malicious package downloads over 2023, continuing a multi-year trend of over 100% increases.
Software supply chain attacks are considered to have three major attack vectors.
The first is through vulnerabilities and malware accidentally or intentionally injected into open-source and third-party
code dependencies such as components, containers, and artificial intelligence models. Second, attackers conduct software
supply chain attacks by infiltrating the build infrastructure during the build and deployment
processes. Finally, attackers conduct software supply chain attacks through targeted techniques aimed at
the humans involved in software development, such as through social engineering. S3C2 researchers are investigating
each of these vectors, to understand the sources of attacks and to identify suitable means of protection.
Focused research is needed to develop fundamental principles, techniques, and tools to close the attack vectors in the software supply chain. Plummeting trust in the software supply chain may decelerate digital innovation if the software industry feels the need to divert resources to reduce risks on their own: For example, some organizations report the creation of private mirrored versions of open source products that have been internally validated, a costly private undertaking with little benefit to the larger community. Plummeting trust may also fragment the software ecosystem.
The Secure Software Supply Chain Center (S3C2), a large-scale, multi-institution research enterprise with the following vision:
The software industry can rapidly innovate with confidence in the security of its software supply chain.
We will achieve this vision through the following three goals.
- Research Goal: To aid the software industry to overcome the hard technical challenges in software supply chain security through the development of synergistic tools, metrics, data formats, and methods in the context of the human behavior of supply chain stakeholders.
- Workforce Goal: To aid the software industry to create a diverse workforce of technical leaders and practitioners educated and trained in secure software supply chain methods through research, hands-on education, and outreach initiatives with academic, government and industry partners.
- Community Goal: To aid the software industry to foster community-wide adoption of evidence- based secure practices through feedback cycles with industry and government, cross-organizational communication, technology transfer, and hands-on education
S3C2 is funded by a National Science Foundation (NSF) Secure and Trustworthy Cyberspace (SaTC) Frontiers award titled “Collaborative: SaTC: Frontiers: Enabling a Secure and Trustworthy Software Supply Chain” (CNS-2207008, CNS-2206859, CNS-2206865, and CNS-2206921).