Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Exploring the Dynamics of Software Bill of Materials (SBOMs) and Security Integration in Open Source Projects
Blekinge Institute of Technology, Faculty of Computing, Department of Software Engineering.
2024 (English)Independent thesis Advanced level (degree of Master (Two Years)), 20 credits / 30 HE creditsStudent thesis
Abstract [en]

Background.The rapid expansion of open-source software has introduced significant security challenges, particularly concerning supply chain attacks. Software supply chain attacks, such as the NotPetya attack, have underscored the critical need for robust security measures. Managing dependencies and protecting against such attacks have become important, leading to the emergence of Software Bill of Materials (SBOMs) as a crucial tool. SBOMs offer a comprehensive inventory of software components, aiding in identifying vulnerabilities and ensuring software integrity. Objectives. Investigate the information contained within SBOMs in Python and Gorepositories on GitHub. Analyze the evolution of SBOM fields over time to understand how software dependencies change. Examine the impact of the US Executive Order of May 2021 on the quality of SBOMs across software projects. Conduct dynamic vulnerability scans in repositories with SBOMs, focusing on identifying types and trends of vulnerabilities. Methods. The study employs archival research and quasi-experimentation, leveraging data from GitHub repositories. This approach facilitates a comprehensive analysis of SBOM contents, their evolution, and the impact of policy changes and security measures on software vulnerability trends. Results. The study reveals that SBOMs are becoming more complex as projects grow, with Python projects generally having more components than Go projects. Both ecosystems saw reductions in vulnerabilities in later versions. The US Executive Order of 2021 positively impacted SBOM quality, with measures like structural elements and NTIA guidelines showing significant improvements post-intervention. Integrating security scans with SBOMs helped identify a wide range of vulnerabilities. Projects varied in critical vulnerabilities, highlighting the need for tailored security strategies. CVSS scores and CWE IDs provided insights into vulnerability severity and types. Conclusions. The thesis highlights the crucial role of SBOMs in improving software security practices in open-source projects. It shows that policy interventions like the US Executive Order and security scans can significantly enhance SBOM quality, leading to better vulnerability management and detection strategies. The findings contribute to the development of robust dependency management and vulnerability detection methodologies in open-source software projects.

Place, publisher, year, edition, pages
2024. , p. 78
Keywords [en]
Supply chain, SBOM, Software Bill of Materials, US Executive Order May 2021, Open-Source Software, Vulnerability, cyber security.
National Category
Software Engineering
Identifiers
URN: urn:nbn:se:bth-26057OAI: oai:DiVA.org:bth-26057DiVA, id: diva2:1844757
Subject / course
PA2534 Master's Thesis (120 credits) in Software Engineering
Educational program
PAADA Master Qualification Plan in Software Engineering 120,0 hp
Available from: 2024-03-18 Created: 2024-03-14 Last updated: 2024-03-18Bibliographically approved

Open Access in DiVA

fulltext(1583 kB)307 downloads
File information
File name FULLTEXT01.pdfFile size 1583 kBChecksum SHA-512
66ee357ef853284b325ee9239cfb51974267b8529260b3f2c8a6bde266608e371096575871ae1e22a0948f81ddf727222c8d871f1c6263f7c6aa6c17fc29cb3a
Type fulltextMimetype application/pdf

By organisation
Department of Software Engineering
Software Engineering

Search outside of DiVA

GoogleGoogle Scholar
Total: 307 downloads
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

urn-nbn

Altmetric score

urn-nbn
Total: 1535 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf