A vulnerability model for software supply chains

This thesis addresses the need to detect vulnerabilities in digital supply chains (DSCs). Modern supply chains rely on interconnected services such as software components, cloud platforms and IoT devices. While this interconnection brings several advantages, it also introduces new security challenges: the overall level of protection is no longer determined only by strong internal defenses, but also depends on the security level of each actor in the chain. Specifically, each link in the DSC needs a high level of security, which makes manual monitoring of the whole supply chain not scalable. To address this issue, this work starts from an existing threat analysis framework, TAMELESS (Threat & Attack ModEL Smart System). TAMELESS is a tool that, given as input the components of a system, their relationships, and properties, can identify potential threats. This thesis proposes an updated version of the model, specifically optimized for software-based environments. The new version integrates Common Vulnerabilities and Exposures (CVEs) into the model’s entities, together with new relations, rules and a patching mechanism. The goal is to extend the framework so that it can support threat analysis of digital supply chains and address the challenges arising from their complexity. The model presented in this thesis makes it possible to analyze a software environment by considering its components, the threats that may target them, the known vulnerabilities (CVEs) they are affected by, and the relationships that connect them. In this way,it is possible to determine to which threats a specific software component is exposed, which vulnerabilities compromise it, and how a potential threat could propagate through the supply chain if that component were compromised. Finally, the graphical user interface (GUI) of the tool has been enhanced not only to support the new version, but also to improve its usability and make it more accessible for end users.