EXECUTIVE SUMMARY: This paper stems from the consideration that software is highly spread in nowadays societies. Despite this significant level of adoption, how software is made remains a less known aspect. In particular, the complexity of software development has only increased in the recent years, with an evolution in methodologies and processes used, the tools, the languages, and the speed. Not to mention very recent potential developments brought by using large language models in writing code (however such implications will not be the focus of this work).
Even though developers can strive to build secure code and follow best practices, it is evident from this analysis that the way software is built today implies a heavy reliance on third parties’ contributions, as well as the usage of externally provided tools and components. If this allows modern software to exist, such complex ramifications of dependencies creates some cybersecurity challenges.
This paper discusses the lifecycle development of software and provides an analysis of how software is commonly developed today, what tools and technologies are typically used and what risks exist. The main objective is to identify the most relevant cybersecurity challenges, and what are the implications of how the software is developed and consumed. A specific focus is on the software supply chain due to the increase of the attack surface. In essence, compromising upstream components of the software supply chain will mean that malicious activity can happen in environments that are distant from the those who develop the software and even more distant from those who sell the final product or service. One key element stemming from the analysis of the software lifecycle is the importance of software supply chain as a critical aspect of European sovereignty and autonomy.
The ultimate goal is to provide recommendations with clear references to frameworks on software supply chain, and good practices for development, maintainance and risk exposure reduction.
This paper also propose some areas where further innovation is needed in order to increase the overall security posture of the current software development ecosystem, keeping an eye on automation, open-source software development and techniques to reduce the available attack surface.
A technical paper by ECSO’s Working Group 6
The author of this paper is the ECSO’s Working Group 6 – Technologies & Innovation and Defence & Space. The mission of this group is to create a cybersecurity research and innovation roadmap for the EU, aiming to strengthen and build a resilient ecosystem.
roberto g. cascella
CTO
roberto.cascella[at]ecs-org.eu
matteo mole
Manager for technologies innovation and trusted supply chain
matteo.mole[at]ecs-org.eu