James Davis, assistant professor of electrical and computer engineering 

James Davis, assistant professor in Purdue University’s Elmore Family School of Electrical and Computer Engineering, has been awarded a National Science Foundation (NSF) grant to lead a planning project aimed at protecting the software that underpins scientific research.

Nearly all modern scientific research depends on software. Yet, the systems that develop, share and deploy that software – known as research software supply chains (RSSCs) – are vulnerable to cyber threats. Davis, serving as principal investigator, will lead the effort in partnership with Alexandra Harris-Watson, co-principal investigator and assistant professor in Purdue’s Department of Psychological Sciences.

The project, called CROSS (Community around Securing the Research Software Supply Chain), will bring together researchers, research software engineers and government stakeholders to identify risks to RSSC security and propose ways to strengthen them. Through community workshops, empirical studies and a review of existing knowledge, the team will develop a roadmap for safeguarding the software that supports U.S. research.

“Scientific knowledge today is built on a foundation of software, but that software is complex and vulnerable,” Davis said. “This project will help develop a shared conceptual framework and measurement infrastructure to secure that foundation and ensure the resilience of the research ecosystem.”

Davis adds that what makes this work especially exciting is the chance to think across disciplines, combining technical expertise from engineering with human factors from psychology.

The CROSS project will pursue three main objectives:

• Conduct a systematic literature review to build a conceptual model of RSSCs and their security threats.
• Measure the security posture of real-world research software projects using datasets from national laboratories.
• Host workshops with software engineers and scientific collaborators to capture practitioner insights and build community consensus.

The findings will be integrated into a unified system and threat model, guided by the STAMP (System-Theoretic Accident Model and Process) and TOE (Technology-Organization-Environment) frameworks. The work will culminate in a strategic report for NSF’s Research on Research Security (RoRS) program.

In addition to the Purdue researchers, the project includes collaborators at Loyola University and the University of Alabama, broadening its impact and reach. The effort will also engage undergraduate students at Purdue and Loyola, helping prepare the next generation of cybersecurity and research software engineering professionals.

By addressing vulnerabilities in research software supply chains, Davis and Harris-Watson aim to safeguard the integrity of scientific knowledge, promote national security and strengthen the nation’s capacity for innovation.