Reproducible Builds: Increasing the Integrity of Software Supply Chains

International audienceAlthough it is possible to increase confidence in Free and Open Source Software (FOSS) by reviewing its source code, trusting code is not the same as trusting its executable counterparts. These are typically built and distributed by third-party vendors, with severe security consequences if their supply chains are compromised. In this paper, we present reproducible builds, an approach that can determine whether generated binaries correspond with their original source code. We first define the problem, and then provide insight into the challenges of making real-world software build in a "reproducible" manner-this is, when every build generates bit-for-bit identical results. Through the experience of the Reproducible Builds project making the Debian Linux distribution reproducible, we also describe the affinity between reproducibility and quality assurance (QA)

Agiilsete printsiipide rakendamine Keskkonnaministeeriumi haldusala projektide juhtimisel

https://www.ester.ee/record=b5453097*es

Software Technology Maturation and Software Security

Software technology maturation, also referred to as technology transfer, is as difficult as it is rare, mostly because of the time scale involved. Software maturation is defined as the process of taking a piece of technology from conception to popularization. Frequently, software engineers and developers tend to oversimplify the problems of technology transfer. They attribute problems to management pressures that complicate the use of software-engineering practices. However, a good understanding of the processes and problems is necessary to effectively tackle the technology-transfer problem. Without that understanding, the transfer of inappropriate technology to an organization without the maturity to understand and absorb it is likely to do harm, rather than to bring benefits. This research aims to answer two research questions regarding the technology maturation. Namely, is Redwine and Riddle's "Software Technology Maturation" study the accepted and gold standard within the software engineering discipline for assessing the maturation of software technology? Secondly, can the software technology maturation study be applied to other areas of software technology? The purpose of this research is to answer these questions of interest which will serve as the basis for the second implementation; applying the Redwine and Riddle criteria to the comparatively young discipline of software security. The primary goal for the second implementation is to explore and extend the second research question and demonstrate the maturity phases for the field of software security

A Novel Practice-Based Process Model for Secure Agile Software Development

Nigeria is ranked second globally after India in reported incidences of cyberattacks. Attackers usually exploit vulnerabilities in software which may not have considered security features during the development process. Agile methodologies are a well-established paradigm in the software development field. Its adoption has contributed to improving software quality. However, agile software products remain vulnerable to security challenges and susceptible to cyberattacks. Agile methods also tend to neglect non-functional requirements such as security. Despite its significance, there is paucity of research addressing security. The problem tackled in this research is the lack of security practices integration in agile software development. Thus, this thesis aims to improve security of the software development process when using agile methods through the developed secure process model.The methodology arising from the research context is a multi-methods qualitative approach divided into four phases involving 35 practitioners from 17 organisations. The first phase describes an exploratory case study conducted to empirically explore the agile security practices adopted by software developers and security professionals in United Kingdom (UK). The second phase involves conducting semi-structured interviews to investigate the impact of regulatory policy for building secure agile software in Nigeria. The third phase developed a novel practice-based agile software development process model derived from the results of the interview data analysis conducted. Finally, the model was preliminarily validated through a focus group comprising of 5 senior agile cybersecurity professionals to evaluate its relevancy and novelty. The focus group was conducted online, comprising predominantly UK practitioners previously interviewed, along with a few participants who were not involved in the earlier stages of data collection. The model was also applied at a Nigerian company involved in secure agile software development.Using the adopted methodology, this thesis presents a taxonomy of security practices identified in the UK research sites. They were categorized according to agile use in organisation - roles, ceremonies, and artefacts. Based on the analysis of interviews conducted in Nigeria, a grounded theory of the security challenges confronting agile practitioners was also developed which was termed Policy Adherence Challenges (PAC) model. The four challenges identified are: (a) a lack of collaboration between security and agile teams; (b) the tendency to use foreign software hosting companies; (c) a poor cybersecurity culture; and (d) the high cost of building secure agile software. Also, the model developed in this thesis used swim lane diagrams to highlight the process flow of security activities. 24 security practices were identified and organized into a process flow. The practices were mapped onto five swim lanes each representing an agile role. The preliminary model evaluation conducted through a focus group workshop proposed a new practice, in response to an observed lack of collaborative ceremonies, to disseminate awareness of and hence compliance with security standards. Further evaluation of the secure process model led to several positive changes in the chosen organisation. These include enhanced collaboration through introducing security retrospectives sessions, intervention to reduce manager’s work tasks by introducing a security champion role, action to enhance team security competence by reducing collaborative gap with senior roles which form mitigation mechanisms to improve regulatory compliance in the global south context. This research recommends practitioners integrate practices such as the proposed “compliance sprint” to improve the security of their products thereby reducing the incidences of cyberattacks. Also, there is need for government action by creating the enabling environment to ensure compliance to regulatory policies and security standards for practitioners developing secure software products