CAREER: Holistic Framework for Securing Continuous Software Development

Continuous software development is a modern software practice enabling automated software development and deployment. It has gained widespread adoption across many organizations, including technology companies and financial institutions. Unfortunately, continuous software development is vulnerable to various software supply chain attacks, which have posed significant risks to the United States and the global community.

This project aims to investigate new emerging threats and develop effective mitigation strategies to secure the software build and development process. The novelty of this project is to comprehensively and systematically inspect the entire continuous software development pipeline with relevant stakeholders covered. It can improve the nation’s cybersecurity by enhancing software supply chain security.

Additionally, educational efforts and outreach activities will be conducted to promote cybersecurity awareness.

This project will develop a holistic framework combining online dynamic executions and offline static analysis to automatically analyze the continuous software development pipeline. The first task will focus on developing a comprehensive security testing system analyzing all critical components and their interactions with relevant stakeholders. The second task will incorporate additional modules to investigate security threats in popular mechanisms and add-on features, such as third-party plugins and different sandboxing techniques.

The third task will design a novel threat detector for organizations and developers to thoroughly analyze their repositories and identify security smells. Ultimately, the project aims to develop both short-term remediations and long-term defense systems that can effectively mitigate potential security threats. The overall security risks will be evaluated by large-scale measurement studies on open source repositories.

The defense strategies will be integrated into existing systems, and thoroughly evaluated in real-world scenarios to demonstrate their effectiveness.

This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.