Blockchain-Enabled Secure Software Supply Chain Management

Authors

  • Thabo Mbeki Department of Computer Science, University of Cape Town (UCT), Cape Town, South Africa
  • Dr. Aisha Kamara Department of Information Systems, University of Ghana, Accra, Ghana
  • Samuel Tadesse Department of Computer Engineering, Addis Ababa University, Addis Ababa, Ethiopia

Abstract

The rise of complex software supply chains—encompassing code dependencies, third-party libraries, CI/CD pipelines, and distribution channels—has amplified risks such as tampering, dependency confusion, and insertion of malicious components. Traditional security controls often fail to provide end-to-end verification, transparency, and immutability across all stages of software development and delivery. This paper proposes a comprehensive blockchain-based framework for Secure Software Supply Chain Management (SSCM) that enhances trust, integrity, and accountability through decentralised ledgers, smart contracts, and cryptographic auditing.

Our framework integrates the following components: (1) a permissioned blockchain to record and timestamp every critical event in the software supply pipeline—such as source code submissions, build artifacts, dependency updates, vulnerability scans, and deployment; (2) smart contracts that enforce security policies (e.g. requiring signature verification, build reproducibility, and automated alerts for deviations); and (3) an off-chain repository for large binary artifacts whose integrity is guaranteed by on-chain hashes. We implemented the framework using Hyperledger Fabric, and performed evaluation with two real-world open-source projects comprising several hundred modules and dependencies.

The empirical results show that our system achieves full traceability across supply chain stages with 100% integrity verification of all build artifacts, detects 98% of injected malicious dependency events in tests, and incurs an average overhead of only ~7% in build time compared to baseline CI/CD processes. Further, smart contract enforcement reduced policy violation drift by 85%, and the immutable audit trail simplified forensic tasks in case of supply chain incidents.

In conclusion, blockchain-enabled SSCM offers a resilient solution for securing modern software supply chains. It promises enhanced visibility, tamper resistance, and automated enforcement of security agreements, and can be adopted by organisations seeking to mitigate software supply chain threats. Future work includes scaling the framework for very large ecosystems, enhancing privacy for sensitive metadata, and integrating with existing software development lifecycle tools with minimal disruption.

Downloads

Published

2023-12-30

Issue

Vol. 1 No. 10 (2023): American Journal of Engineering , Mechanics and Architecture

Section

Articles

How to Cite

Blockchain-Enabled Secure Software Supply Chain Management. (2023). American Journal of Engineering , Mechanics and Architecture (2993-2637), 1(10), 387-402. https://grnjournal.us/index.php/AJEMA/article/view/2899