DevOps leaders hoping to find a single cybersecurity risk framework that will prevent their work from experiencing the kinds of compromises that lead to supply chain attacks will have a hard time, according to a new research paper.
In a paper submitted to Cornell University’s arXiv site for academic manuscripts, the six researchers — four from North Carolina State University, one from Yahoo and one between positions — said they could rank the top tasks that application development teams should perform to blunt possible compromises in their work that might lead to their applications being used to attack users.
They did it by mapping the 114 reported techniques used in compromising three vital apps, SolarWinds Orion, log4J and XZ Utils, against the 73 recommended tasks listed in 10 software security frameworks, including the US NIST Secure Software Development Framework.