The software industry has been transitioning to continuous deployment practices which require complex build and deployment processes. In parallel, the software industry has increased the use of open-source software and processes, all of which are continually evolving. These changes have opened up a new attack vector, as demonstrated by SolarWinds, emphasizing the urgent need to identify how to ensure the security of the complete software supply chain.
In this project, we build tools and techniques to secure the software supply chain. This project is focused on:
- data-driven tools that share information between tools and processes and leverage artificial intelligence and machine learning,
- the complete life cycle of the supply chain, allowing knowledge to be passed between tools, processes, and repositories, and
- the human aspects of applying security tools, through a focus on the real-world effectiveness of the tools.