CSC News

NC State to Lead Multi­-institution Software Supply Chain Security Grant from NSF

NC State University is the lead institution on a $9 million, multi-institution National Science Foundation grant to research technical challenges in software supply chain security and to help build a diverse workforce for the software industry.

Modern software is vulnerable to malicious activity, and software professionals must address software supply chain attacks. This project establishes the Secure Software Supply Chain Center (S3C2), bringing together researchers, industry partners and government agencies to develop scientific tools, metrics, data formats, and methods to reduce risks with software. The S3C2 Team is pictured - Front row (l-r): Laurie Williams and Yasemin Acar. Back row (l-r): Michel Cukier, Christian Kästner, William Enck, and Alexandros Kapravelos.

Through education, outreach and training, the project will also foster a diverse workforce of technical leaders and practitioners capable of problem-solving in software supply chain models. Summer programs and new course modules will prepare current and future technical leaders and practitioners to build more secure software.

NC State has made a name for itself in cybersecurity and technology. The Secure Computing lnstitute has connected cybersecurity research and education efforts among NC State departments and throughout the Triangle area since its founding in 2019. It's home to the North Carolina Partnership for Cybersecurity Excellence (NC-PaCE), in which universities, community colleges, public agencies and private businesses across the state collaborate through education, research, service and outreach to establish cybersecurity as an economic development tool. NC-PaCE received a $2 million grant from the National Centers of Academic Excellence in Cybersecurity last year.

The $9 million NSF grant. NC State was awarded $6 million as the lead institution. Other university partners include Carnegie Mellon University, The George Washington University and the University of Maryland College Park.

~strange~

Abstract: 

Collaborative Proposal: SaTC: Frontiers: Enabling a Secure and Trustworthy Software Supply Chain

Laurie Williams; William Enck; Alexandros Kapravelos

10/1/2022-9/30/2027

The modern world relies on software in almost every human endeavor, and a typical software product includes 80% open source components. Attackers exploit accidentally-injected security vulnerabilities and, increasingly, aggressively implant vulnerabilities or malicious code directly into the software supply chain -- open source software and its build and deployment pipelines. This Frontier project establishes the Secure Software Supply Chain Center (S3C2), a large-scale, multi-institution effort established to aid the software industry re-establish trust in the software supply chain through the development of scientific principles, synergistic tools, metrics, and models in the context of human behavior among software supply chain stakeholders. The Center contributes to a diverse workforce of professionals educated and trained in secure software supply chain methods, among others, through undergraduate research projects, summer camps, and the development of course modules for students and practitioners. S3C2’s vision is to facilitate rapid innovation with increased confidence in software supply chain security.

S3C2 focuses on interconnected research thrusts for two supply chain attack vectors. Thrust One focuses on developing tools and techniques to aid practitioners with the risk of upstream dependencies. It enhances the utility of the Software Bill of Materials (SBoM) by identifying exploitability of vulnerabilities and changes to attack surfaces and isolates risky code as a stop-gap before patching is possible. Thrust Two focuses on developing tools and techniques to aid practitioners with the risk of build processes. It enables strong guarantees for build integrity through analysis of a continuous integration/continuous deployment (CI/CD) configuration and techniques that help developers achieve reproducible builds.