Software Supply Chain Integrity

Project co-funded by CSIRO’s Critical Infrastructure Protection and Resilience (CIPR) Mission and Google LLC

Goal: Development of new tools to support Critical Infrastructure operators select the best software options to ensure software supply chain integrity.

Start date: 3/7/23

End date: 30/3/25

The aim of this project is to provide novel methods and technologies for the evaluation of software security relevant to Australian critical infrastructure sectors and ensure the trustworthiness of software developed, procured, commissioned, and maintained by Australian Critical Infrastructure. The parties agree that all project outputs will be published via relevant public mediums to enable free and easy access by critical infrastructure sectors to maximise the impact of this collaborative project.

The project team will work to deliver:

(a) Methods to enhance and enrich vulnerability data in advisory databases, aiming to answer the question, “Am I impacted by the vulnerability?” This contribution involves providing fine-grained information specifically useful to users, especially when only a subset of functions within the vulnerable versions of a package is being used. This will help open-source software users narrow down the list of vulnerabilities that genuinely impact them.

(b) Methods to prioritise existing vulnerabilities to address the challenge of slow remediation for exploited flaws, despite a significant increase in exploitation activity.

(c) A reference architecture by collecting project results and best practices under a comprehensive reference guide to harden software supply chain security for critical infrastructures in Australia. The outcome from the above-developed methods will also be input to the reference architecture.

For more information: contact Ahmed, Ejaz (Data61, Marsfield) <Ejaz.Ahmed@data61.csiro.au>