1、SUPPLY CHAIN SECURITY 1Technology Innovation InstituteABSTRACTDespite billions of dollars of investment in software supply-chain security tools,enterprises and governments continue to be hacked.At the Security Systems Research Center of the Technology Innovation Institute(TII SSRC,Abu Dhabi,UAE,tii.

2、ae/secure-systems),researchers are working on new solutions to seal up the security gaps that make these breaches possible.This white paper delves into SSRCs work to bolster supply-chain security(SCS)security across efforts like Supply-Chain Levels for Software Artifacts(SLSA,slsa.dev),the open-sour

3、ce Nix package manager(nixos.org),and Identity and Access Management(IAM)infrastructures,all to automate a secure build pipeline.Key enhancements include new Software Bill of Materials(SBOM)generation tools,vulnerability-management automation,a flexible public key infrastructure,an automated Zero Tr

4、ust development-and-build pipeline,and creation of scalable and ephemeral build environments.2Technology Innovation Institute3INTRORecent years have seen a marked increase in attacks on the software supply-chainwith notable impacts on such security-conscious organizations as SolarWinds,Microsoft,OKT

5、A,Kaseya,and British Airways.These attacks typically involve malicious or vulnerable code inserted into legitimate products at almost any stage of the products lifecycle.Perhaps most alarmingly,at the end of March 2024,a Microsoft developer reported that someone(just who is still unknown)had planted

6、 a back door in the XZ compression tool slated for inclusion in coming Linux updates.1 Had they succeeded,this vulnerability could have given the perpetrators remote access to Linux systems underpinning much of the modern economy.This vulnerability was not discovered by a security researcher,but rat