Description
Modern software projects rely heavily on external dependencies, which improves quality
and re-use but also introduces risks when packages are insecure or unmaintained.
Assessing these risks is difficult, as current practice is often based on subjective judgment
and lacks systematic, automated support. We compile a catalog of supply-chain
security metrics for dependency assessment and demonstrate that individual metrics
cannot provide reliable evaluations. To address this, we propose a methodology for
combining metrics into supply chain security policies that are risk-oriented, complementary,
formalizable, comprehensible, and practicable. Based on this methodology,
we derive nine exemplary policy expressions and implement the approach in OWASP
Dependency-Track. Applying it to a dataset of popular packages from three major
ecosystems shows that structured combinations of metrics provide actionable and
comprehensible support for dependency assessment, while also revealing challenges
surrounding data quality, alert management, threshold selection, and the interpretation
of signals from supply chain attacks. While the use of metrics is not a complete solution
to supply chain security, this work shows that combining them in contextualized
policies provides meaningful insights and lays a foundation for the systematic and
automated evaluation of dependencies.
|
Thesis topic in co-operation with the Fraunhofer Institute for Applied and Integrated Security AISEC, Garching