Salvato in:
Dettagli Bibliografici
Autori principali: Dong, Liming, Lee, Sung Une, Xing, Zhenchang, Ahmed, Muhammad Ejaz, Avgoustakis, Stefan
Natura: Preprint
Pubblicazione: 2025
Soggetti:
Accesso online:https://arxiv.org/abs/2510.26174
Tags: Aggiungi Tag
Nessun Tag, puoi essere il primo ad aggiungerne!!
_version_ 1866908619969134592
author Dong, Liming
Lee, Sung Une
Xing, Zhenchang
Ahmed, Muhammad Ejaz
Avgoustakis, Stefan
author_facet Dong, Liming
Lee, Sung Une
Xing, Zhenchang
Ahmed, Muhammad Ejaz
Avgoustakis, Stefan
contents The increasing frequency and sophistication of software supply chain attacks pose severe risks to critical infrastructure sectors, threatening national security, economic stability, and public safety. Despite growing awareness, existing security practices remain fragmented and insufficient, with most frameworks narrowly focused on isolated life cycle stages or lacking alignment with the specific needs of critical infrastructure (CI) sectors. In this paper, we conducted a multivocal literature review across international frameworks, Australian regulatory sources, and academic studies to identify and analyze security practices across the software supply chain, especially specific CI sector. Our analysis found that few existing frameworks are explicitly tailored to CI domains. We systematically leveraged identified software supply chain security frameworks, using a "4W+1H" analytical approach, we synthesized ten core categories (what) of software supply chain security practices, mapped them across life-cycle phases (when), stakeholder roles (who), and implementation levels (how), and examined their coverage across existing frameworks (where). Building on these insights, the paper culminates in structured, multi-layered checklist of 80 questions designed to relevant stakeholders evaluate and enhance their software supply chain security. Our findings reveal gaps between framework guidance and sector-specific needs, highlight the need for integrated, context-aware approaches to safeguard critical infrastructure from evolving software supply chain risks.
format Preprint
id arxiv_https___arxiv_org_abs_2510_26174
institution arXiv
publishDate 2025
record_format arxiv
spellingShingle The "4W+1H" of Software Supply Chain Security Checklist for Critical Infrastructure
Dong, Liming
Lee, Sung Une
Xing, Zhenchang
Ahmed, Muhammad Ejaz
Avgoustakis, Stefan
Software Engineering
The increasing frequency and sophistication of software supply chain attacks pose severe risks to critical infrastructure sectors, threatening national security, economic stability, and public safety. Despite growing awareness, existing security practices remain fragmented and insufficient, with most frameworks narrowly focused on isolated life cycle stages or lacking alignment with the specific needs of critical infrastructure (CI) sectors. In this paper, we conducted a multivocal literature review across international frameworks, Australian regulatory sources, and academic studies to identify and analyze security practices across the software supply chain, especially specific CI sector. Our analysis found that few existing frameworks are explicitly tailored to CI domains. We systematically leveraged identified software supply chain security frameworks, using a "4W+1H" analytical approach, we synthesized ten core categories (what) of software supply chain security practices, mapped them across life-cycle phases (when), stakeholder roles (who), and implementation levels (how), and examined their coverage across existing frameworks (where). Building on these insights, the paper culminates in structured, multi-layered checklist of 80 questions designed to relevant stakeholders evaluate and enhance their software supply chain security. Our findings reveal gaps between framework guidance and sector-specific needs, highlight the need for integrated, context-aware approaches to safeguard critical infrastructure from evolving software supply chain risks.
title The "4W+1H" of Software Supply Chain Security Checklist for Critical Infrastructure
topic Software Engineering
url https://arxiv.org/abs/2510.26174