Open-source code is used in many software products, which can create complex dependencies that can be difficult to monitor and control. A typical threat scenario is when vulnerable open-source components are planted in public repositories by threat actors who can then attack the software products that contain the vulnerable open-source components.
This project focuses on analyzing how open-source code is typically used in software products, and the possible threat scenarios that are possible by creating vulnerabilities in open-source components. The project is expected to recommend strategies for mitigating such threat scenarios by controlling the use of open source components. Aspects to be investigated are e.g.:
- Open-source dependencies - why, who, where?
- When are dependency chains out of control?
- Dependency confusion, substitution attacks (ex: npm scoping)
- Prominent examples npm package recently, log4j
- Frameworks and guidelines, such as SDLC and Software Bill of Materials.
- Difference between supply chain attacks based on open-source components vs. closed-source software such as Solarwinds
This master project is in collaboration with KPMG Norway.