Open-source software (OSS) is a critical part of the software supply chain. Recent social engineering attacks against OSS development teams have enabled attackers to become code contributors and later inject malicious code or vulnerabilities into the project with the goal of compromising dependent software. The attackers have exploited interactions among development team members and the social dynamics of team behavior to enable their attacks. We introduce a security approach that leverages signatures and patterns of team dynamics to predict the susceptibility of a software development team to social engineering attacks that enable access to the OSS project code. The proposed approach is programming language-, platform-, and vulnerability-agnostic because it assesses the artifacts of OSS team interactions, rather than OSS code.
翻译:开放源码软件(OSS)是软件供应链的关键部分。最近对OSS开发团队的社会工程袭击使袭击者成为代码贡献者,后来又将恶意代码或弱点注入项目,目的是损害依赖软件。袭击者利用开发团队成员之间的互动以及团队行为的社会动态,使他们能够发动袭击。我们引入了一种安全方法,利用团队特征和动态模式,预测软件开发团队易受社会工程袭击的可能性,从而能够获取开放源码软件项目代码。拟议的方法是编程语言、平台和脆弱性识别,因为它评估了开放源码软件团队互动的文物,而不是开放源码软件代码。