An Industry Interview Study of Software Signing for Supply Chain Security

arXiv:2406.08198v1 Announce Type: cross
Abstract: Many software products are composed by the recursive integration of components from other teams or external parties. Each additional link in a software product's supply chain increases the risk of the injection of malicious behavior. To improve supply chain provenance, many cybersecurity frameworks, standards, and regulations recommend the use of software signing. However, recent surveys and measurement studies have found that the adoption rate and quality of software signatures are low. These findings raise questions …

arxiv behavior components cs.cr cs.se cybersecurity cybersecurity frameworks external frameworks industry injection integration interview link malicious malicious behavior parties product products provenance risk security signing software software products standards study supply supply chain supply chain security teams