Software supply chains (SSCs) are complex systems composed of dynamic, heterogeneous technical and social components which collectively achieve the production and maintenance of software artefacts. Attacks on SSCs are increasing, yet pervasive vulnerability analysis is challenging due to their complexity. Therefore, threat detection must be targeted, to account for the large and dynamic structure, and adaptive, to account for its change and diversity. While current work focuses on technical approaches for monitoring supply chain dependencies and establishing component controls, approaches which inform threat detection through understanding the socio-technical dynamics are lacking. We outline a position and research vision to develop and investigate the use of socio-technical models to support adaptive threat detection of SSCs. We motivate this approach through an analysis of the XZ Utils attack whereby malicious actors undermined the maintainers' trust via the project's GitHub and mailing lists. We highlight that monitoring technical and social data can identify trends which indicate suspicious behaviour to then inform targeted and intensive vulnerability assessment. We identify challenges and research directions to achieve this vision considering techniques for developer and software analysis, decentralised adaptation and the need for a test bed for software supply chain security research.

翻译：软件供应链是由动态、异构的技术与社会组件构成的复杂系统，这些组件共同实现软件制品的生产与维护。针对软件供应链的攻击日益增多，但由于其复杂性，进行全面漏洞分析具有挑战性。因此，威胁检测必须具备针对性，以应对庞大且动态的结构，并具备自适应性，以应对其变化与多样性。当前的研究主要集中于通过监控供应链依赖关系和建立组件控制的技术方法，而缺乏通过理解社会技术动态来指导威胁检测的方法。本文提出一个立场与研究愿景，旨在开发和研究利用社会技术模型来支持软件供应链的自适应威胁检测。我们通过对XZ Utils攻击案例的分析来论证这一方法的必要性，在该案例中，恶意行为者通过项目的GitHub和邮件列表破坏了维护者之间的信任。我们强调，监控技术和社会数据可以识别出指示可疑行为的趋势，从而为有针对性的深入漏洞评估提供依据。我们指出了实现这一愿景所面临的挑战与研究方向，包括开发者与软件分析技术、去中心化自适应以及构建软件供应链安全研究测试平台的需求。