The software supply chain comprises a highly complex set of operations, processes, tools, institutions and human factors involved in creating a piece of software. A number of high-profile attacks that exploit a weakness in this complex ecosystem have spurred research in identifying classes of supply chain attacks. Yet, practitioners often lack the necessary information to understand their security posture and implement suitable defenses against these attacks. We argue that the next stage of software supply chain security research and development will benefit greatly from a defense-oriented approach that focuses on holistic bottom-up solutions. To this end, this paper introduces the AStRA model, a framework for representing fundamental software supply chain elements and their causal relationships. Using this model, we identify software supply chain security objectives that are needed to mitigate common attacks and systematize knowledge on recent and well-established security techniques for their ability to meet these objectives. We validate our model against prior attacks and taxonomies. Finally, we identify emergent research gaps and propose opportunities to develop novel software development tools and systems that are secure-by-design.

翻译：软件供应链涵盖了创建软件所涉及的高度复杂的操作、流程、工具、制度及人为因素。近年来，一系列利用该复杂生态系统薄弱环节的高影响攻击事件，推动了针对供应链攻击分类识别的研究。然而，从业者往往缺乏必要信息来理解其安全态势并实施有效的防御措施。我们认为，采用以防御为导向、聚焦整体性自底向上解决方案的研究方法，将极大推动软件供应链安全研究与发展的下一阶段。为此，本文提出AStRA模型——一个用于表征软件供应链基础要素及其因果关系的框架。基于该模型，我们明确了缓解常见攻击所需的软件供应链安全目标，并依据其满足这些目标的能力，对新兴及成熟安全技术进行了知识体系化梳理。我们通过历史攻击案例与现有分类体系验证了该模型的有效性。最后，我们识别了新兴研究缺口，并提出了开发具备内生安全特性的新型软件开发工具与系统的潜在方向。