Stop Trusting Trust

Trust in software one did not build might be practically impossible, leaving the task of establishing and rigorously enforcing tolerable levels of distrust in others’ code. Working to improve the security of software and managing these levels of distrust is critical for private-sector enterprise as well as sensitive defense and intelligence organizations.

Breaking Trust: The Project

Trust in software one did not build may be practically impossible, leaving the task of establishing and rigorously enforcing tolerable levels of distrust in others’ code. Working to improve the security of software and managing these levels of distrust is critical for private sector enterprise as well as sensitive defense and intelligence organizations. This project remains ongoing to highlight the need for a more coherent policy response together with action from industry and open-source communities.

Project Page

Projects

The 5×5—The XZ Backdoor: Trust and Open Source Software

04 18 2024

O$$ Security: Does More Money for Open Source Software Mean Better Security? A Proof of Concept

by Sara Ann Brackett, John Speed Meyers, Stewart Scott

A proof-of-concept study looking for correlation between open source software project funding and security practices at scale.

Cybersecurity Open Source Software
The 5×5—The XZ Backdoor: Trust and Open Source Software

09 27 2023

Software Supply Chain Security: The Dataset

by Will Loomis, Stewart Scott, Trey Herr, Sara Ann Brackett, Nancy Messieh, and June Lee

Cybersecurity Software Supply Chains
The 5×5—The XZ Backdoor: Trust and Open Source Software

10 12 2023

Driving Software Recalls: Manufacturing Supply Chain Best Practices for Open Source Consumption

by Jeff Wayman, Brian Fox

Cybersecurity Open Source Software
The 5×5—The XZ Backdoor: Trust and Open Source Software

09 27 2023

Kink in the Chain: Eight Perspectives on Software Supply Chain Risk Management

by Cyber Statecraft Initiative

Cybersecurity Software Supply Chains
The 5×5—The XZ Backdoor: Trust and Open Source Software

07 19 2023

Why Do SBOM Haters Hate? Or Why Trade Associations Say the Darndest Things

by John Speed Meyers, Sara Ann Brackett, and Trey Herr

Cybersecurity Cybersecurity Standards and Requirements

Broken Trust: Lessons from Sunburst

Breaking Trust: Shades of Crisis Across an Insecure Software Supply Chain

Supply Chain in the Software Era

Buying Down Risk: Software Provenance and Composition

Buying Down Risk: Container Security

Buying Down Risk: Memory Safety

The Cases for Using the SBOMs We Build

The Atlantic Council’s Cyber Statecraft Initiative, under the Digital Forensic Research Lab (DFRLab), works at the nexus of geopolitics and cybersecurity to craft strategies to help shape the conduct of statecraft and to better inform and secure users of technology.

learn more

Software Supply Chains

Wed, May 1, 2024

The 5×5—The XZ Backdoor: Trust and Open Source Software

Open source software security experts share their insights into the XZ backdoor, and what it means for open source software security.

by Nitansha Bansal, Stewart Scott

Cybersecurity Open Source Software

Thu, Apr 18, 2024

O$$ Security: Does More Money for Open Source Software Mean Better Security? A Proof of Concept

A proof-of-concept study looking for correlation between open source software project funding and security practices at scale.

by Sara Ann Brackett, John Speed Meyers, Stewart Scott

Cybersecurity Open Source Software

Fri, Jan 26, 2024

The Great Despiser: The BSA, Memory Safety, and How to Make a Good Argument Badly

Memory-safe programming languages are in the cyber policy mainstream, but some hesitation remains. Looking at the arguments around memory safety is informative for larger cyber policy debates too.

by Stewart Scott

Cybersecurity Software Supply Chains

Thu, Oct 12, 2023

Driving Software Recalls: Manufacturing Supply Chain Best Practices for Open Source Consumption

Product recalls require practices that can help software vendors move toward better component selection and tracking and better relationships with customers, all while making software vendors responsible for OSS security instead of maintainers.

by Jeff Wayman, Brian Fox

Cybersecurity Open Source Software

Wed, Sep 27, 2023

Kink in the Chain: Eight Perspectives on Software Supply Chain Risk Management

Software supply chain attacks are popular, impactful, and are used to great effect by malicious actors. To dive deeper on this topic, we asked eight experts about these threats and how policymakers can help protect against them.

by Cyber Statecraft Initiative

Cybersecurity Software Supply Chains

Wed, Sep 27, 2023

Software Supply Chain Security: The Dataset

Want to dive deeper into the Breaking Trust database? You have come to the right place.

by Will Loomis, Stewart Scott, Trey Herr, Sara Ann Brackett, Nancy Messieh, and June Lee

Cybersecurity Software Supply Chains

Wed, Jul 19, 2023

Why Do SBOM Haters Hate? Or Why Trade Associations Say the Darndest Things

SBOMs are an important step forward for software supply chain security, so despite pushback and opposition, industry and government should take a page out of Taylor Swift’s book and just keep cruisin’, don’t let SBOM haters get in the way. 

by John Speed Meyers, Sara Ann Brackett, and Trey Herr

Cybersecurity Cybersecurity Standards and Requirements