- Submission Deadline: 17 March 2023
- Publication: November/December 2023
The modern world relies on digital innovation in almost every human endeavor and for our critical infrastructure. Digital innovation has been accelerated substantially as software is increasingly built on top of layers of reusable abstractions, including libraries, frameworks, and cloud infrastructure which often lie outside an organization’s trust boundary. Leveraging these reusable abstractions gives rise to software supply chains where software products include ‘upstream’ components, a.k.a. dependencies, created and modified by others, which again often include their own transitive dependencies. Most of these dependencies are open-source projects. However, with all the power that software supply chains and open-source infrastructure provide also come risks.
The 2022 annual report from Sonatype shows an average 742% annual increase in software supply chain (SSC) attacks over the past three years. The impact of these attacks has been widespread, as shown by the Solarwinds, Codecov, and the log4j attacks. The software industry has moved from passive adversaries finding and exploiting vulnerabilities to a new generation of supply chain attacks where they aggressively implant malware directly into open source projects and find their way into build and deployment pipelines.
This special issue of IEEE Security & Privacy aims to highlight software supply chain security research and experiences of value to practitioners and to security researchers. Topics include, but are not limited to:
- New insights or takeaways with practical implications based on empirical studies, including case studies, experiments, field studies, and surveys
- Experience reports on best practices for implementing secure software supply chain, including the use of standards and practices such as Zero Trust and DevSecOps
- Challenges implementing practice to comply with new legislation, such as US Executive Order 14028 and the European Cybersecurity Act.
- New tools for analysis, visualizations, or techniques for monitoring designed to support practitioners or evaluations of those tools
- Frameworks for better understanding and supporting the implementation of supply chain security
- Overview, survey, or systemization of knowledge papers that integrate and synthesize existing knowledge to provide new insights into a previously studied area of interest
In addition to full papers, opinion pieces are welcome.
For author information and submission criteria for full papers, please visit the Author Information page. As stated there, full papers should be 4900 – 7200 words in length. Please submit full papers through the ScholarOne system, and be sure to select the special-issue name. Manuscripts should not be published or currently submitted for publication elsewhere. There should be no more than 15 references. Related work should appear in a special separated box. Please submit only full papers intended for peer review, not opinion pieces, to the ScholarOne portal.
Viewpoint pieces should contain no more than 2000 words. The title should start with the type of submission, i.e., “A viewpoint on…”. There should be no more than 10 references. These submissions should be converted to PDF and emailed to the guest editors at email@example.com by the submission deadline.
Contact the guest editors at firstname.lastname@example.org.
- Fabio Massacci, Vrije Universiteit, the Netherlands and University of Trento, Italy
- Laurie Williams, North Carolina State University, USA