Accenture Working with Institute for Data Science to Combat Software Supply Chain Attacks

Written by: Michael Giorgio

Accenture, a leader in information consulting services, is collaborating with NJIT’s Institute for Data Science, led by Distinguished Prof. David Bader, to develop methods to mitigate risks arising in the use of open-source components in the software supply chain.

Modern cloud-based software is incredibly complex and often uses open-source code, which is cost-free and provides developers with countless libraries of prewritten functions. But that openness is also a risk, because anyone can change the code and it’s not always clear who made the changes or what motivated them. A recent malicious exploit in open-source code grabbed headlines in 2021, and continues to pose a risk today.

Lisa O’Connor, global leader of cybersecurity research and development for Accenture, shared the importance of this collaboration. “Understanding supply chain cyber risk is a business resilience imperative. It’s not enough to know the application or service, it’s essential that we understand the code components that make up the application or service,” O’Connor said.

Traditional software bill-of-materials (SBOM) applications — inventories of all the components of a software program, such as containers, licenses, microservices, security patches and versions — may no longer be sufficient to keep track of the software supply chain for security purposes.

Bader and his team, along with peers at Accenture, aim to explore the benefits of next-generation software bills of materials and the traceability of the software supply chain to identify security threats. They are applying structures known as knowledge graphs to model the connections between the software components.

 A knowledge graph visually maps data and represents relationships (edges) between entities (nodes). Credit: Benevolent AI
A knowledge graph visually maps data and represents relationships (edges) between entities (nodes). Credit: Benevolent AI

By examining these graphs using Bader’s graph analytical tools, software developers can identify and isolate vulnerable components that may put their software at risk. Finally, the technology makes suggestions about which components to include and which to be removed or strengthened.

“Protecting the open-source software supply chain has tremendous impact to the security of businesses and government. Combining our expertise, the Institute’s real-world graph analytics and Accenture’s cybersecurity expertise, yields a world-class team for addressing this critical supply chain problem,” Bader stated.

“We’re excited about this collaboration with the Accenture team and the results we hope to achieve together,” Bader added. “We plan to share our results in the months to come.”

David A. Bader
David A. Bader
Distinguished Professor and Director of the Institute for Data Science

David A. Bader is a Distinguished Professor in the Department of Computer Science at New Jersey Institute of Technology.