Stop Trusting Trust

Trust in software one did not build might be practically impossible, leaving the task of establishing and rigorously enforcing tolerable levels of distrust in others’ code. Working to improve the security of software and managing these levels of distrust is critical for private-sector enterprise as well as sensitive defense and intelligence organizations.

Projects


The Atlantic Council’s Cyber Statecraft Initiative, under the Digital Forensic Research Lab (DFRLab), works at the nexus of geopolitics and cybersecurity to craft strategies to help shape the conduct of statecraft and to better inform and secure users of technology.

Software Supply Chains

Wed, May 1, 2024

The 5×5—The XZ Backdoor: Trust and Open Source Software

Open source software security experts share their insights into the XZ backdoor, and what it means for open source software security.

by Nitansha Bansal, Stewart Scott

Cybersecurity Open Source Software

Thu, Apr 18, 2024

O$$ Security: Does More Money for Open Source Software Mean Better Security? A Proof of Concept

A proof-of-concept study looking for correlation between open source software project funding and security practices at scale.

by Sara Ann Brackett, John Speed Meyers, Stewart Scott

Cybersecurity Open Source Software

Fri, Jan 26, 2024

The Great Despiser: The BSA, Memory Safety, and How to Make a Good Argument Badly

Memory-safe programming languages are in the cyber policy mainstream, but some hesitation remains. Looking at the arguments around memory safety is informative for larger cyber policy debates too.

by Stewart Scott

Cybersecurity Software Supply Chains

Thu, Oct 12, 2023

Driving Software Recalls: Manufacturing Supply Chain Best Practices for Open Source Consumption

Product recalls require practices that can help software vendors move toward better component selection and tracking and better relationships with customers, all while making software vendors responsible for OSS security instead of maintainers.

by Jeff Wayman, Brian Fox

Cybersecurity Open Source Software

Wed, Sep 27, 2023

Kink in the Chain: Eight Perspectives on Software Supply Chain Risk Management

Software supply chain attacks are popular, impactful, and are used to great effect by malicious actors. To dive deeper on this topic, we asked eight experts about these threats and how policymakers can help protect against them.

by Cyber Statecraft Initiative

Cybersecurity Software Supply Chains

Wed, Sep 27, 2023

Software Supply Chain Security: The Dataset

Want to dive deeper into the Breaking Trust database? You have come to the right place.

by Will Loomis, Stewart Scott, Trey Herr, Sara Ann Brackett, Nancy Messieh, and June Lee

Cybersecurity Software Supply Chains

Wed, Jul 19, 2023

Why Do SBOM Haters Hate? Or Why Trade Associations Say the Darndest Things

SBOMs are an important step forward for software supply chain security, so despite pushback and opposition, industry and government should take a page out of Taylor Swift’s book and just keep cruisin’, don’t let SBOM haters get in the way. 

by John Speed Meyers, Sara Ann Brackett, and Trey Herr

Cybersecurity Software Liability