Protecting open source software by analyzing community behavior
- By Susan Miller
- Mar 16, 2021
To maintain the security of the Defense Department’s open source software supply chain, the Defense Advanced Research Projects Agency wants to create a dynamic and continuously updated OSS situational awareness capability.
The SocialCyber program aims to preserve an OSS project’s integrity and security by providing early warnings of weaknesses, impending project disruption, stagnation or collapse, according to a March 15 presolicitation. By capturing data on the security of a project’s architecture, relevant social behaviors of participants, security economics and the attack surfaces, DARPA expects to develop an overall security assessment of an OSS project’s complex cyber-socio-technical ecosystem.
OSS communities can be damaged by participants contributing flawed code or designs, conducting social media campaigns against OSS developers, submitting misleading bug reports, muddying technical discussions and derailing functional authority on OSS projects. SocialCyber will explore hybrid methods that analyze source code, development-related communication artifacts and social media activity to detect and counteract malevolent cyber-social operations and protect the integrity of DOD’s open source infrastructure.
According to DARPA, critical considerations include a project’s implicit dependencies that might affect architectural changes and, in turn, impact the entire project. SocialCyber requires characterization of the roles of OSS developers, contributors and detractors involved in a project and analysis of their roles, contributions, functional authorities and channels used.
Combined technical and social history project timelines will be also critical to identify when participants disrupt OSS projects or push for significant architectural and structural changes that alter the course of the work. SocialCyber also requires a project development timeline that indicates the history of architectural decisions, the long-term architectural trends and upcoming changes.
The $1 million 18-month program expects to demonstrate the situational awareness tool’s ability “to dynamically correlate the code and timelines of a major architectural feature introduction or refactoring with the social activities’ timeline of discussion and decisionmaking, including any social media events relevant to the ‘tipping points’ of the decision, with a clear mapping of parties to technical trends and artifacts,” the solicitation said.
Proposals are due April 6.
Susan Miller is executive editor at GCN.
Over a career spent in tech media, Miller has worked in editorial, print production and online, starting on the copy desk at IDG’s ComputerWorld, moving to print production for Federal Computer Week and later helping launch websites and email newsletter delivery for FCW. After a turn at Virginia’s Center for Innovative Technology, where she worked to promote technology-based economic development, she rejoined what was to become 1105 Media in 2004, eventually managing content and production for all the company's government-focused websites. Miller shifted back to editorial in 2012, when she began working with GCN.
Miller has a BA and MA from West Chester University and did Ph.D. work in English at the University of Delaware.
Connect with Susan at [email protected] or @sjaymiller.