Proposal of Vulnerability Assessment Tool for Software Supply Chain Security

抄録

Software supply chain attacks have become more prevalent due to attacker's higher skills and sophisticated attack methods. These attacks can go unnoticed for a long time and cause widespread damage. Therefore, monitoring all software products in the supply chain to detect these attacks is crucial. However, the software supply chain is complex, and tracking suspicious changes to third-party products, services, and libraries used to build software products can be challenging. This makes it difficult for developers to identify and confirm vulnerabilities in the software. Even one vulnerable file in the supply chain can have severe consequences if exploited, so regular vulnerability checks are necessary to keep software products safe. To address this issue, we propose a Vulnerability Assessment Tool that identifies newly found vulnerabilities from public databases and efficiently checks them in existing internal products. Our method uses a two-step process. The first step is estimating related products and directly affected products for a given CVE ID. The second step is a detailed check of the vulnerabilities in the system based on the results estimated in Step 1. This assessment method reduces the time the PSIRT Analyst requires to assess the vulnerabilities.