Details

<p>Foreword xxi</p> <p>Introduction xxv</p> <p><b>Chapter 1 Background on Software Supply Chain Threats 1</b></p> <p>Incentives for the Attacker 1</p> <p>Threat Models 2</p> <p>Threat Modeling Methodologies 3</p> <p>Stride 3</p> <p>Stride- LM 4</p> <p>Open Worldwide Application Security Project (OWASP) Risk- Rating Methodology 4</p> <p>Dread 5</p> <p>Using Attack Trees 5</p> <p>Threat Modeling Process 6</p> <p>Landmark Case 1: SolarWinds 14</p> <p>Landmark Case 2: Log4j 18</p> <p>Landmark Case 3: Kaseya 21</p> <p>What Can We Learn from These Cases? 23</p> <p>Summary 24</p> <p><b>Chapter 2 Existing Approaches— Traditional Vendor Risk Management 25</b></p> <p>Assessments 25</p> <p>SDL Assessments 28</p> <p>Application Security Maturity Models 29</p> <p>Governance 30</p> <p>Design 30</p> <p>Implementation 31</p> <p>Verification 31</p> <p>Operations 32</p> <p>Application Security Assurance 32</p> <p>Static Application Security Testing 33</p> <p>Dynamic Application Security Testing 34</p> <p>Interactive Application Security Testing 35</p> <p>Mobile Application Security Testing 36</p> <p>Software Composition Analysis 36</p> <p>Hashing and Code Signing 37</p> <p>Summary 39</p> <p><b>Chapter 3 Vulnerability Databases and Scoring Methodologies 41</b></p> <p>Common Vulnerabilities and Exposures 41</p> <p>National Vulnerability Database 44</p> <p>Software Identity Formats 46</p> <p>Cpe 46</p> <p>Software Identification Tagging 47</p> <p>Purl 49</p> <p>Sonatype OSS Index 50</p> <p>Open Source Vulnerability Database 51</p> <p>Global Security Database 52</p> <p>Common Vulnerability Scoring System 54</p> <p>Base Metrics 55</p> <p>Temporal Metrics 57</p> <p>Environmental Metrics 58</p> <p>CVSS Rating Scale 58</p> <p>Critiques 59</p> <p>Exploit Prediction Scoring System 59</p> <p>EPSS Model 60</p> <p>EPSS Critiques 62</p> <p>CISA’s Take 63</p> <p>Common Security Advisory Framework 63</p> <p>Vulnerability Exploitability eXchange 64</p> <p>Stakeholder- Specific Vulnerability Categorization and Known Exploited Vulnerabilities 65</p> <p>Moving Forward 69</p> <p>Summary 70</p> <p><b>Chapter 4 Rise of Software Bill of Materials 71</b></p> <p>SBOM in Regulations: Failures and Successes 71</p> <p>NTIA: Evangelizing the Need for SBOM 72</p> <p>Industry Efforts: National Labs 77</p> <p>SBOM Formats 78</p> <p>Software Identification (SWID) Tags 79</p> <p>CycloneDX 80</p> <p>Software Package Data Exchange (SPDX) 81</p> <p>Vulnerability Exploitability eXchange (VEX) and Vulnerability Disclosures 82</p> <p>VEX Enters the Conversation 83</p> <p>VEX: Adding Context and Clarity 84</p> <p>VEX vs. VDR 85</p> <p>Moving Forward 88</p> <p>Using SBOM with Other Attestations 89</p> <p>Source Authenticity 89</p> <p>Build Attestations 90</p> <p>Dependency Management and Verification 90</p> <p>Sigstore 92</p> <p>Adoption 93</p> <p>Sigstore Components 93</p> <p>Commit Signing 95</p> <p>SBOM Critiques and Concerns 95</p> <p>Visibility for the Attacker 96</p> <p>Intellectual Property 97</p> <p>Tooling and Operationalization 97</p> <p>Summary 98</p> <p><b>Chapter 5 Challenges in Software Transparency 99</b></p> <p>Firmware and Embedded Software 99</p> <p>Linux Firmware 99</p> <p>Real- Time Operating System Firmware 100</p> <p>Embedded Systems 100</p> <p>Device- Specific SBOM 100</p> <p>Open Source Software and Proprietary Code 101</p> <p>User Software 105</p> <p>Legacy Software 106</p> <p>Secure Transport 107</p> <p>Summary 108</p> <p><b>Chapter 6 Cloud and Containerization 111</b></p> <p>Shared Responsibility Model 112</p> <p>Breakdown of the Shared Responsibility Model 112</p> <p>Duties of the Shared Responsibility Model 112</p> <p>The 4 Cs of Cloud Native Security 116</p> <p>Containers 118</p> <p>Kubernetes 123</p> <p>Serverless Model 128</p> <p>SaaSBOM and the Complexity of APIs 129</p> <p>CycloneDX SaaSBOM 130</p> <p>Tooling and Emerging Discussions 132</p> <p>Usage in DevOps and DevSecOps 132</p> <p>Summary 135</p> <p><b>Chapter 7 Existing and Emerging Commercial Guidance 137</b></p> <p>Supply Chain Levels for Software Artifacts 137</p> <p>Google Graph for Understanding Artifact Composition 141</p> <p>CIS Software Supply Chain Security Guide 144</p> <p>Source Code 145</p> <p>Build Pipelines 146</p> <p>Dependencies 148</p> <p>Artifacts 148</p> <p>Deployment 149</p> <p>CNCF’s Software Supply Chain Best Practices 150</p> <p>Securing the Source Code 152</p> <p>Securing Materials 154</p> <p>Securing Build Pipelines 155</p> <p>Securing Artifacts 157</p> <p>Securing Deployments 157</p> <p>CNCF’s Secure Software Factory Reference Architecture 157</p> <p>The Secure Software Factory Reference Architecture 158</p> <p>Core Components 159</p> <p>Management Components 160</p> <p>Distribution Components 160</p> <p>Variables and Functionality 160</p> <p>Wrapping It Up 161</p> <p>Microsoft’s Secure Supply Chain Consumption Framework 161</p> <p>S2C2F Practices 163</p> <p>S2C2F Implementation Guide 166</p> <p>OWASP Software Component Verification Standard 167</p> <p>SCVS Levels 168</p> <p>Level 1 168</p> <p>Level 2 169</p> <p>Level 3 169</p> <p>Inventory 169</p> <p>Software Bill of Materials 170</p> <p>Build Environment 171</p> <p>Package Management 171</p> <p>Component Analysis 173</p> <p>Pedigree and Provenance 173</p> <p>Open Source Policy 174</p> <p>OpenSSF Scorecard 175</p> <p>Security Scorecards for Open Source Projects 175</p> <p>How Can Organizations Make Use of the Scorecards Project? 177</p> <p>The Path Ahead 178</p> <p>Summary 178</p> <p><b>Chapter 8 Existing and Emerging Government Guidance 179</b></p> <p>Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations 179</p> <p>Critical Software 181</p> <p>Security Measures for Critical Software 182</p> <p>Software Verification 186</p> <p>Threat Modeling 187</p> <p>Automated Testing 187</p> <p>Code- Based or Static Analysis and Dynamic Testing 188</p> <p>Review for Hard-Coded Secrets 188</p> <p>Run with Language- Provided Checks and Protection 189</p> <p>Black- Box Test Cases 189</p> <p>Code- Based Test Cases 189</p> <p>Historical Test Cases 189</p> <p>Fuzzing 190</p> <p>Web Application Scanning 190</p> <p>Check Included Software Components 190</p> <p>NIST’s Secure Software Development Framework 191</p> <p>SSDF Details 192</p> <p>Prepare the Organization (PO) 193</p> <p>Protect the Software (PS) 194</p> <p>Produce Well- Secured Software (PW) 194</p> <p>Respond to Vulnerabilities (RV) 196</p> <p>NSAs: Securing the Software Supply Chain Guidance Series 197</p> <p>Security Guidance for Software Developers 197</p> <p>Secure Product Criteria and Management 199</p> <p>Develop Secure Code 202</p> <p>Verify Third- Party Components 204</p> <p>Harden the Build Environment 206</p> <p>Deliver the Code 207</p> <p>NSA Appendices 207</p> <p>Recommended Practices Guide for Suppliers 209</p> <p>Prepare the Organization 209</p> <p>Protect the Software 210</p> <p>Produce Well- Secured Software 211</p> <p>Respond to Vulnerabilities 213</p> <p>Recommended Practices Guide for Customers 214</p> <p>Summary 218</p> <p><b>Chapter 9 Software Transparency in Operational Technology 219</b></p> <p>The Kinetic Effect of Software 220</p> <p>Legacy Software Risks 222</p> <p>Ladder Logic and Setpoints in Control Systems 223</p> <p>ICS Attack Surface 225</p> <p>Smart Grid 227</p> <p>Summary 228</p> <p><b>Chapter 10 Practical Guidance for Suppliers 229</b></p> <p>Vulnerability Disclosure and Response PSIRT 229</p> <p>Product Security Incident Response Team (PSIRT) 231</p> <p>To Share or Not to Share and How Much Is Too Much? 236</p> <p>Copyleft, Licensing Concerns, and “As- Is” Code 238</p> <p>Open Source Program Offices 240</p> <p>Consistency Across Product Teams 242</p> <p>Manual Effort vs. Automation and Accuracy 243</p> <p>Summary 244</p> <p><b>Chapter 11 Practical Guidance for Consumers 245</b></p> <p>Thinking Broad and Deep 245</p> <p>Do I Really Need an SBOM? 246</p> <p>What Do I Do with It? 250</p> <p>Receiving and Managing SBOMs at Scale 251</p> <p>Reducing the Noise 253</p> <p>The Divergent Workflow— I Can’t Just Apply a Patch? 254</p> <p>Preparation 256</p> <p>Identification 256</p> <p>Analysis 257</p> <p>Virtual Patch Creation 257</p> <p>Implementation and Testing 258</p> <p>Recovery and Follow- up 258</p> <p>Long- Term Thinking 259</p> <p>Summary 259</p> <p><b>Chapter 12 Software Transparency Predictions 261</b></p> <p>Emerging Efforts, Regulations, and Requirements 261</p> <p>The Power of the U.S. Government Supply Chains to Affect Markets 267</p> <p>Acceleration of Supply Chain Attacks 270</p> <p>The Increasing Connectedness of Our Digital World 272</p> <p>What Comes Next? 275</p> <p>Index 283</p>

<p><B>CHRIS HUGHES </B>is the co-founder and Chief Information Security Officer of Aquia. He is an Adjunct Professor for M.S. Cybersecurity programs at Capitol Technology University and the University of Maryland Global Campus, and a co-host of the Resilient Cyber Podcast. <p><B>TONY TURNER </B>has 25 years’ experience as a cybersecurity engineer, architect, consultant, executive, and community builder. He is the Founder of Opswright, a software company creating solutions for security engineering in critical infrastructure and leads the OWASP Orlando chapter.

<p><b>Explore the cybersecurity implications of the interconnected software supply chain</b> <p>In <i>Software Transparency: Supply Chain Security in an Era of a Software-Driven Society</i>, a team of dedicated information security executives and professionals delivers an incisive and essential new treatment of software supply chain security. In the book, you’ll find real-world examples of how to defend your own organization against attack. It includes coverage of topics ranging from the history of the software transparency movement to software bills of materials and high assurance attestations in a rapidly evolving software landscape. <p>The authors explain the background of attack vectors that are becoming increasingly vulnerable, including mobile and social networks, banking and retail systems, and even the critical infrastructure and defense systems upon which we all rely. You’ll discover how you can defend against threats to these networks and explore use cases and practical guidance for both software consumers and the suppliers who support them. <p>A can’t-miss resource for cybersecurity and application security professionals, <i>Software Transparency </i>will also earn a central place on the bookshelves of professionals working in industrial control system security, cloud security, mobile security, DevOps, and DevSecOps. The book offers extensive coverage of: <ul><li>Firmware and embedded software</li> <li>Cloud and connected APIs</li> <li>Industrial control systems</li> <li>Internet of Things-connected devices</li> <li>Federal and defense software supply chain initiatives</li> <li>Software for mobile devices</li></ul>

<p>"Starting this book off with a proper threat model is precisely what’s needed as a frame for such an important problem. Supply chain risk is complicated, it’s changing quickly, and the defensive measures often involve multiple teams which drives up the complexity. The insights captured throughout this book are absolutely necessary for the state of software security today and having the proper context and frame of the problem space as you read it will help get the most of it."<br /><b>—Robert Wood, CISO of Centers for Medicare and Medicaid (CMS)</b><br /><br />"This is a very good book. It achieves something that I don't think anyone else has even attempted: provide an encyclopedic account of guidelines, best practices, regulations, and current efforts to secure the software supply chain. The best aspect of this book is that someone (like me) who is primarily involved with just one aspect of software supply chain security can benefit from a well-informed treatment of the subject from different aspects, yet still have a reference tool to return to later, when the need arises to learn about other topics within this already vast discipline."<br /><b>—Tom Alrich</b></p>

US