Open Source Software (OSS) Transparency Tutorial

The reuse of software has enabled faster fielding of systems, but all software comes with vulnerabilities, and attackers have expanded their capabilities to exploit the software supply chain, especially open source, which provides broad accessibility. Managing this risk requires the ability to measu...

Full description

Saved in:
Bibliographic Details
Published in2024 IEEE Secure Development Conference (SecDev) pp. 186 - 187
Main Authors Woody, Carol, Hissam, Scott
Format Conference Proceeding
LanguageEnglish
Published IEEE 07.10.2024
Subjects
Computer security
History
Monitoring
Open source software
Risk management
Software engineering
Software measurement
software risk assessment
Supply chains
Tutorials
Online AccessGet full text
DOI10.1109/SecDev61143.2024.00026

Cover

More Information
Summary:The reuse of software has enabled faster fielding of systems, but all software comes with vulnerabilities, and attackers have expanded their capabilities to exploit the software supply chain, especially open source, which provides broad accessibility. Managing this risk requires the ability to measure and monitor it, but the information is scattered among acquirers, suppliers, system and software engineers, developers, testers, and verifiers. The Software Engineering Institute (SEI) has explored many aspects of software measurement. Throughout the history of software engineering, we have learned that software metrics for both the process and the product are needed. We have also explored many aspects of cybersecurity measurement and determined that we must be able to measure the processes for developing and using software and determine how those measurement results affect the resulting product's cybersecurity. This tutorial will share the results of this exploration to show the range of potential measurement options.
DOI:10.1109/SecDev61143.2024.00026