Open Source Supply Chain Security: a Cost-Benefit Analysis of Achieving Various Security Thresholds in Build Environments

Author

Carly RettererFollow

Date of Award

Spring 5-29-2024

Document Type

Thesis (Undergraduate)

Department

Computer Science

First Advisor

Charles Palmer

Second Advisor

Vasanta Lakshmi Kommineni

Third Advisor

Allan Friedman

Abstract

Open source software has become a cornerstone of modern software development, offering unparalleled opportunities for innovation and collaboration. However, its widespread adoption has also introduced a host of security vulnerabilities, particularly in the software supply chain. This paper provides a comprehensive cost-benefit analysis of achieving various security thresholds to harden the build environment, focusing on isolated, hermetic, reproducible, and bootstrappable builds. For each build type, we provide a clear definition and outline the steps required for implementation. We then evaluate the associated costs and benefits of each build, emphasizing their roles in strengthening the build environment and enhancing supply chain security. The paper concludes with recommendations for stakeholders, including startups, large corporations, and government agencies, and proposes future research directions to enhance build environment security.

Recommended Citation

Retterer, Carly, "Open Source Supply Chain Security: a Cost-Benefit Analysis of Achieving Various Security Thresholds in Build Environments" (2024). Computer Science Senior Theses. 43.
https://digitalcommons.dartmouth.edu/cs_senior_theses/43