Improving Transparency, Trust, and Automation in the Software Supply Chain

Modern software no longer functions as a single, monolithic entity but rather as an intricate composition of thousands of components. These components collectively contribute to the functionality and security of software, yet they also expose the ecosystem to an ever-growing array of vulnerabilities. High-profile incidents such as SolarWinds and the 2024 compromise of xz-util highlight the pervasive and severe nature of threats in the software supply chain. These attacks are often opaque, making detection and mitigation complex and slow, and they possess a significant amplification factor: a single compromised component can propagate downstream, impacting many dependent systems and users. Addressing these challenges requires a focused investigation into the security of software supply chains. Governments, industry stakeholders, and community initiatives have emphasized the importance of secure, transparent, and trusted software ecosystems. However, the lack of appropriate tools and methodologies hinders the practical application of recommendations and guidelines. Developers need solutions capable of managing the complex networks that underpin modern software. This necessitates transparency within the supply chain, which can either be proactively ensured by developers or retroactively derived through artifact analysis. Unfortunately, even the most diligent developers remain vulnerable to last-mile compromises, as demonstrated by the xz-util attack, where malicious code was injected into the distributable artifact without detection. This thesis addresses three critical aspects of the software supply chain to enhance security: transparency, trust, and automation. First, it investigates transparency as a mechanism to empower developers with accurate and complete insights into the software components integrated into their applications. To this end, the thesis introduces \textsc{Sunset} and \textsc{PIP-sbom}, leveraging modeling and SBOMs (Software Bill of Materials) as foundational tools for transparency and security. Second, it examines software trust, focusing on the effectiveness of reproducible builds in major ecosystems and proposing solutions to bolster their adoption. Finally, it emphasizes the role of automation in modern software management, particularly in ensuring user safety and application reliability. This includes developing a tool for automated security testing of GitHub Actions and analyzing the permission models of prominent platforms like GitHub, GitLab, and BitBucket. By advancing these pillars of software supply chain security, this thesis provides the tools, methodologies, and insights necessary for practitioners to navigate and secure the increasingly complex and interconnected software landscape.