Trillions of lines of code help us in our lives, companies, and organizations. But just a single software cybersecurity vulnerability can stop entire companies from doing business and cause billions of dollars in revenue loss and business recovery. Securing the creation and deployment of software, also known as software supply chain security, goes well beyond the software development process.
This practical book gives you a comprehensive look at security risks and identifies the practical controls you need to incorporate into your end-to-end software supply chain. Author Cassie Crossley demonstrates how and why everyone involved in the supply chain needs to participate if your organization is to improve the security posture of its software, firmware, and hardware.
With this book, you'll learn how to:
• Pinpoint the cybersecurity risks in each part of your organization's software supply chain
• Identify the roles that participate in the supply chain—including IT, development, operations, manufacturing, and procurement
• Design initiatives and controls for each part of the supply chain using existing frameworks and references
• Implement secure development lifecycle, source code security, software build management, and software transparency practices
• Evaluate third-party risk in your supply chain
Author(s): Cassie Crossley
Edition: 1
Publisher: O'Reilly Media
Year: 2024
Language: English
Commentary: Publisher's PDF
Pages: 240
City: Sebastopol, CA
Tags: Cloud Computing; Security; Cybersecurity; Hardware; Risk Management; Software Development Life Cycle; Firmware; DevSecOps; Supply Chain; Software Transparency
Cover
Copyright
Table of Contents
Foreword
Preface
Who Should Read This Book
Why I Wrote This Book
Navigating This Book
Conventions Used in This Book
O’Reilly Online Learning
How to Contact Us
Acknowledgments
Chapter 1. Supply Chain Security
Supply Chain Definitions
Software Supply Chain Security Impacts
Requirements, Laws, Regulations, and Directives
Summary
Chapter 2. Supply Chain Frameworks and Standards
Technology Risk Management Frameworks
NIST SP 800-37 Risk Management Framework (RMF)
ISO 31000:2018 Risk Management
Control Objectives for Information and Related Technologies (COBIT®) 2019
NIST Cybersecurity Framework (CSF)
Supply Chain Frameworks and Standards
NIST SP 800-161 Cybersecurity Supply Chain Risk Management for Systems and Organizations
UK Supplier Assurance Framework
MITRE System of Trust™ (SoT) Framework
ISO/IEC 20243-1:2023 Open Trusted Technology Provider Standard
SCS 9001 Supply Chain Security Standard
ISO 28000:2022 Security and Resilience
ISO/IEC 27036 Information Security for Supplier Relationships
Framework and Standards Considerations Summary
Summary
Chapter 3. Infrastructure Security in the Product Lifecycle
Developer Environments
Code Repositories and Build Platforms
Development Tools
Labs and Test Environments
Preproduction and Production Environments
Software Distribution and Deployment Locations
Manufacturing and Supply Chain Environments
Customer Staging for Acceptance Tests
Service Systems and Tools
Summary
Chapter 4. Secure Development Lifecycle
Key Elements of an SDL
Security Requirements
Secure Design
Secure Development
Security Testing
Vulnerability Management
Augmenting an SDLC with SDL
ISA/IEC 62443-4-1 Secure Development Lifecycle
NIST SSDF
Microsoft SDL
ISO/IEC 27034 Application Security
SAFECode
SDL Considerations for IoT, OT, and Embedded Systems
Product and Application Security Metrics
Summary
Chapter 5. Source Code, Build, and Deployment Management
Source Code Types
Open Source
Commercial
Proprietary
Operating Systems and Frameworks
Low-Code/No-Code
Generative AI Source Code
Code Quality
Secure Coding Standards
Software Analysis Technologies
Code Reviews
Source Code Integrity
Change Management
Trusted Source Code
Trusted Dependencies
Build Management
Authentication and Authorization
Build Scripts and Automation
Repeatability and Reproducibility
Code Signing
Deployment Management
Summary
Chapter 6. Cloud and DevSecOps
Cloud Frameworks, Controls, and Assessments
ISO/IEC 27001 Information Security Management Systems
Cloud Security Alliance CCM and CAIQ
Cloud Security Alliance STAR Program
American Institute of CPAs SOC 2
US FedRAMP
Cloud Security Considerations and Requirements
DevSecOps
Change Management for Cloud
Secure Design and Development for Cloud Applications
API Security
Testing
Deploying Immutable Infrastructure and Applications
Securing Connections
Operating and Monitoring
Site Reliability Engineering
Summary
Chapter 7. Intellectual Property and Data
Data Classification
People
Technology
Data Security
Loss of Code, Keys, and Secrets
Design Flaws
Configuration Errors
Application Programming Interfaces (APIs)
Vulnerabilities
Summary
Chapter 8. Software Transparency
Software Transparency Use Cases
Software Bill of Materials (SBOM)
SBOM Formats
SBOM Elements
SBOM Limitations
Additional Bill of Materials (BOMs)
Vulnerability Disclosures
Additional Transparency Approaches
US CISA Secure Software Development Attestation Common Form
Supply Chain Integrity, Transparency, and Trust (SCITT)
Digital Bill of Materials and Sharing Mechanisms
Graph of Understanding Artifact Composition (GUAC)
In-Toto Attestation
Software Provenance
Practices and Technology
Summary
Chapter 9. Suppliers
Cyber Assessments
Assessment Responses
Research
IT Security Including Environmental Security
Product/Application Security Organization
Product Security Processes and Secure Development Lifecycle
Training
Secure Development and Security Testing
Build Management, DevSecOps, and Release Management
Scanning, Vulnerability Management, Patching, and SLAs
Cloud Applications and Environments
Development Services
Manufacturing
Cyber Agreements, Contracts, and Addendums
Ongoing Supplier Management
Monitoring
Supplier Reviews
Right to Audit and Assess
Summary
Chapter 10. Manufacturing and Device Security
Suppliers and Manufacturing Security
Equipment, Systems, and Network Security Configurations
Physical Security
Code, Software, and Firmware Integrity
Tests for Integrity
Counterfeits
Chain of Custody
Device Protection Measures
Firmware Public Key Infrastructure (PKI)
Hardware Root of Trust
Secure Boot
Secure Element
Device Authentication
Summary
Chapter 11. People in the Software Supply Chain
Cybersecurity Organizational Structures
Security Champions
Cybersecurity Awareness and Training
Development Team
Secure Development Lifecycle (SDL)
Source Code Management
DevSecOps and Cloud
Capture-the-Flag Events
Third-Party Suppliers
Manufacturing and Distribution
Customer Projects and Field Services
End Users
Summary
Appendix A. Security Controls
Infrastructure Security Controls
Secure Development Lifecycle Controls
Source Code, Build, and Deployment Controls
Cloud Controls
Intellectual Property and Data Controls
Software Transparency Controls
Supplier Controls
Manufacturing and Device Security Controls
People Controls
Index
About the Author
Colophon
