Software supply chain frameworks, such as the US NIST Secure Software Development Framework (SSDF), detail what tasks software development organizations should adopt to reduce security risk. However, to further reduce the risk of similar attacks occurring, framework adopters (i.e., software organizations) would benefit from knowing what tasks mitigate attack techniques the attackers are currently using to help organizations prioritize and to indicate current framework task gaps that leave organizations vulnerable to attacks. The goal of this study is to aid software supply chain framework adopters in reducing the risk of attacks by systematically mapping the attack techniques used in the SolarWinds, Log4j, and XZ Utils attacks to mitigating framework tasks. We qualitatively analyzed 106 Cyber Threat Intelligence (CTI) reports of the 3 attacks to gather the attack techniques. We then systematically constructed a mapping between attack techniques and the 73 tasks enumerated in 10 software supply chain frameworks. Afterward, we established and ranked priority tasks that mitigate attack techniques. The three mitigation tasks with the highest scores are role-based access control, system monitoring, and boundary protection. Additionally, three mitigation tasks were missing from all ten frameworks, including sustainable open-source software and environmental scanning tools. Thus, software products would still be vulnerable to software supply chain attacks even if organizations adopted all recommended tasks.

翻译：软件供应链框架，例如美国国家标准与技术研究院（NIST）的安全软件开发框架（SSDF），详细规定了软件开发组织应采取哪些任务以降低安全风险。然而，为了进一步降低类似攻击发生的风险，框架采用者（即软件组织）若能了解哪些任务能够缓解攻击者当前使用的攻击技术，将有助于组织确定优先级，并揭示当前框架任务中存在的漏洞，这些漏洞使组织容易受到攻击。本研究的目标是通过系统性地将SolarWinds、Log4j和XZ Utils攻击中使用的攻击技术映射到缓解性框架任务，帮助软件供应链框架采用者降低攻击风险。我们定性分析了关于这三起攻击的106份网络威胁情报（CTI）报告，以收集攻击技术。随后，我们系统性地构建了攻击技术与10个软件供应链框架中列举的73项任务之间的映射关系。之后，我们确定并排序了能够缓解攻击技术的优先任务。得分最高的三项缓解任务是基于角色的访问控制、系统监控和边界保护。此外，所有十个框架均缺少三项缓解任务，包括可持续的开源软件和环境扫描工具。因此，即使组织采用了所有推荐任务，软件产品仍可能容易受到软件供应链攻击。