Security Challenges of Complex Space Applications: An Empirical Study
Tomas Paulik
TL;DR
This study investigates security challenges in the SDLC of complex space applications, highlighting four high-risk areas: verification of software artifacts, verification of the deployed application, single-point security failure, and data tampering by trusted stakeholders. Using anonymized expert interviews and a TAS software-supply-chain example, it shows that two challenges—artifact and deployed-application verification—are open problems with inadequate tooling, while microservice architectures and tamper-evidence data management are more mature but face adoption and governance hurdles. The work emphasizes gaps in universal PKI, end-to-end artifact signing, and robust integrity verification within space defense ecosystems, and it advocates for new DevSecOps strategies, tools, and research to strengthen software integrity even when developer machines may be compromised. The findings have practical impact for space and defense organizations seeking heightened assurance across distributed supply chains and deployment environments.
Abstract
Software applications in the space and defense industries have their unique characteristics: They are complex in structure, mission-critical, and often targets of state-of-the-art cyber attacks sponsored by adversary nation states. These applications have typically a high number of stakeholders in their software component supply chain, data supply chain, and user base. The aforementioned factors make such software applications potentially vulnerable to bad actors, as the widely adopted DevOps tools and practices were not designed for high-complexity and high-risk environments. In this study, I investigate the security challenges of the development and management of complex space applications, which differentiate the process from the commonly used practices. My findings are based on interviews with five domain experts from the industry and are further supported by a comprehensive review of relevant publications. To illustrate the dynamics of the problem, I present and discuss an actual software supply chain structure used by Thales Alenia Space, which is one of the largest suppliers of the European Space Agency. Subsequently, I discuss the four most critical security challenges identified by the interviewed experts: Verification of software artifacts, verification of the deployed application, single point of security failure, and data tampering by trusted stakeholders. Furthermore, I present best practices which could be used to overcome each of the given challenges, and whether the interviewed experts think their organization has access to the right tools to address them. Finally, I propose future research of new DevSecOps strategies, practices, and tools which would enable better methods of software integrity verification in the space and defense industries.