Tūwhana - Finding, understanding, and mitigating vulnerabilities in domestic and global software supply chains

This is a research project funded by the New Zealand / Aotearoa Ministry of Business, Innovation and Employment (MBIE) Endeavour Fund.
The project will start on 1 October 2025, more information is coming soon.

The project is structured around three main sets of actions:

Detect

• Improve the accuracy of SBOM construction and Software Composition Analysis. This includes true positive detection through the synthesis of exploits.
• Find vulnerabilities in AI datasets that can be used as novel attack vectors, similar to CVE-2024-27318 and CVE-2024-27322.
• Find sources of variability that lead to failing reproducible and alternative builds.

Respond

• Tools to prioritise software composition results, also improving the utility of SBOMs.
• Tools to compare and assess binary resulting from different builds from the same sources.
• Tools to prevent the use of vulenerable AI datasets.

Adapt, Report and Comply

There are multiple existing and emerging standards related to software supply chain security, including SBOM, VEX, OpenSSF Scorecard, in-toto and SLSA, with some related legislation emerging overseas such as the US Executive Order 14028 and the EU Cyber Resilience Act. There is some uncertainty about policy changes and more legislation is likely to emerge. We will identify the status quo, and any barriers to adoption, and help New Zealand organisations to adapt and adopt tools, technologies and standards developed by ourselves and others.