Securing the software supply chain: The role of SBOM in modern development

Thumbnail Image

Files

master_Hossain_Shawkot_2025.pdf (2.74 MB)

URL

Journal Title

Journal ISSN

Volume Title

School of Electrical Engineering | Master's thesis
Unless otherwise stated, all rights belong to the author. You may download, display and print this publication for Your own personal use. Commercial use is prohibited.

Authors

Date

2025-09-09

Department

Major/Subject

Communications Engineering

Mcode

Degree programme

Master's Programme in Computer, Communication and Information Sciences

Language

en

Pages

73

Series

Abstract

Software supply chain security has become increasingly important due to the complex ecosystem of software development. There are several vectors that can be used to compromise software security or supply chain security. Software components used in software are one of them. This thesis has studied software supply chain security through the lens of software dependencies. Currently, there are numerous solutions and techniques available in the market to tackle supply chain security, and all claim to be the best solution. This thesis delves deeper by implementing those solutions and evaluates them for better understanding. Some of the tools that this thesis implemented are Syft, Trivy, Grype, FOSSA, dependency-check, and Gemnasium. Software dependencies are generated in a Software Bill of Materials (SBOM) format by using these open-source tools, and the corresponding results have been analyzed. Among these tools, Syft and Trivy outperform others as they provide relevant and accurate information on software dependencies. Another important finding of this thesis is reducing vulnerabilities and the attack surface by decoupling the host and build environment. By utilizing a container-based build environment, the number of vulnerabilities has been reduced considerably. It also reduces the build time, enabling better efficiency. Additionally, this thesis integrates open-source tools in a Continuous Integration (CI) pipeline provided by GitLab and provides a way to monitor software security continuously. This also demonstrates how to take advantage of both free and paid solutions in a production setting.

Description

Supervisor

Manner, Jukka

Thesis advisor

Lauronen, Pasi

Keywords

software security, software supply chain security, software dependency, software bill of materials (SBOM), free and open source software security, software composition analysis (SCA)

Other note

Citation

Permanent link to this item

https://urn.fi/URN:NBN:fi:aalto-202510208299

Collections

[dipl] Sähkötekniikan korkeakoulu / ELEC