Discover the new cybersecurity landscape of the interconnected software supply chain
In Software Transparency: Supply Chain Security in an Era of a Software-Driven Society, a team of veteran information security professionals delivers an expert treatment of software supply chain security. In the book, you’ll explore real-world examples and guidance on how to defend your own organization against internal and external attacks. It includes coverage of topics including the history of the software transparency movement, software bills of materials, and high assurance attestations.
The authors examine the background of attack vectors that are becoming increasingly vulnerable, like mobile and social networks, retail and banking systems, and infrastructure and defense systems. You’ll also discover:
Use cases and practical guidance for both software consumers and suppliers
Discussions of firmware and embedded software, as well as cloud and connected APIs
Strategies for understanding federal and defense software supply chain initiatives related to security
An essential resource for cybersecurity and application security professionals, Software Transparency will also be of extraordinary benefit to industrial control system, cloud, and mobile security professionals.
Author(s): Chris Hughes; Tony Turner
Publisher: Wiley
Year: 2023
Language: English
Pages: 332
Cover
Title Page
Copyright Page
Contents at a Glance
Contents
Foreword
Introduction
What Does This Book Cover?
Who Will Benefit Most from This Book?
Special Features
Chapter 1 Background on Software Supply Chain Threats
Incentives for the Attacker
Threat Models
Threat Modeling Methodologies
Stride
Stride-LM
Open Worldwide Application Security Project (OWASP) Risk-Rating Methodology
DREAD
Using Attack Trees
Threat Modeling Process
Landmark Case 1: SolarWinds
Landmark Case 2: Log4j
Landmark Case 3: Kaseya
What Can We Learn from These Cases?
Summary
Chapter 2 Existing Approaches—Traditional Vendor Risk Management
Assessments
SDL Assessments
Application Security Maturity Models
Governance
Design
Implementation
Verification
Operations
Application Security Assurance
Static Application Security Testing
Dynamic Application Security Testing
Interactive Application Security Testing
Mobile Application Security Testing
Software Composition Analysis
Hashing and Code Signing
Summary
Chapter 3 Vulnerability Databases and Scoring Methodologies
Common Vulnerabilities and Exposures
National Vulnerability Database
Software Identity Formats
CPE
Software Identification Tagging
PURL
Sonatype OSS Index
Open Source Vulnerability Database
Global Security Database
Common Vulnerability Scoring System
Base Metrics
Temporal Metrics
Environmental Metrics
CVSS Rating Scale
Critiques
Exploit Prediction Scoring System
EPSS Model
EPSS Critiques
CISA’s Take
Common Security Advisory Framework
Vulnerability Exploitability eXchange
Stakeholder-Specific Vulnerability Categorization and Known Exploited Vulnerabilities
Moving Forward
Summary
Chapter 4 Rise of Software Bill of Materials
SBOM in Regulations: Failures and Successes
NTIA: Evangelizing the Need for SBOM
Industry Efforts: National Labs
SBOM Formats
Software Identification (SWID) Tags
CycloneDX
Software Package Data Exchange (SPDX)
Vulnerability Exploitability eXchange (VEX) and Vulnerability Disclosures
VEX Enters the Conversation
VEX: Adding Context and Clarity
VEX vs. VDR
Moving Forward
Using SBOM with Other Attestations
Source Authenticity
Build Attestations
Dependency Management and Verification
Sigstore
Adoption
Sigstore Components
Commit Signing
SBOM Critiques and Concerns
Visibility for the Attacker
Intellectual Property
Tooling and Operationalization
Summary
Chapter 5 Challenges in Software Transparency
Firmware and Embedded Software
Linux Firmware
Real-Time Operating System Firmware
Embedded Systems
Device-Specific SBOM
Open Source Software and Proprietary Code
User Software
Legacy Software
Secure Transport
Summary
Chapter 6 Cloud and Containerization
Shared Responsibility Model
Breakdown of the Shared Responsibility Model
Duties of the Shared Responsibility Model
The 4 Cs of Cloud Native Security
Containers
Kubernetes
Serverless Model
SaaSBOM and the Complexity of APIs
CycloneDX SaaSBOM
Tooling and Emerging Discussions
Usage in DevOps and DevSecOps
Summary
Chapter 7 Existing and Emerging Commercial Guidance
Supply Chain Levels for Software Artifacts
Google Graph for Understanding Artifact Composition
CIS Software Supply Chain Security Guide
Source Code
Build Pipelines
Dependencies
Artifacts
Deployment
CNCF’s Software Supply Chain Best Practices
Securing the Source Code
Securing Materials
Securing Build Pipelines
Securing Artifacts
Securing Deployments
CNCF’s Secure Software Factory Reference Architecture
The Secure Software Factory Reference Architecture
Core Components
Management Components
Distribution Components
Variables and Functionality
Wrapping It Up
Microsoft’s Secure Supply Chain Consumption Framework
S2C2F Practices
S2C2F Implementation Guide
OWASP Software Component Verification Standard
SCVS Levels
Level 1
Level 2
Level 3
Inventory
Software Bill of Materials
Build Environment
Package Management
Component Analysis
Pedigree and Provenance
Open Source Policy
OpenSSF Scorecard
Security Scorecards for Open Source Projects
How Can Organizations Make Use of the Scorecards Project?
The Path Ahead
Summary
Chapter 8 Existing and Emerging Government Guidance
Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations
Critical Software
Security Measures for Critical Software
Software Verification
Threat Modeling
Automated Testing
Code-Based or Static Analysis and Dynamic Testing
Review for Hard-Coded Secrets
Run with Language-Provided Checks and Protection
Black-Box Test Cases
Code-Based Test Cases
Historical Test Cases
Fuzzing
Web Application Scanning
Check Included Software Components
NIST’s Secure Software Development Framework
SSDF Details
Prepare the Organization (PO)
Protect the Software (PS)
Produce Well-SecuredSoftware (PW)
Respond to Vulnerabilities (RV)
NSAs: Securing the Software Supply Chain Guidance Series
Security Guidance for Software Developers
Secure Product Criteria and Management
Develop Secure Code
Verify Third-PartyComponents
Harden the Build Environment
Deliver the Code
NSA Appendices
Recommended Practices Guide for Suppliers
Prepare the Organization
Protect the Software
Produce Well-Secured Software
Respond to Vulnerabilities
Recommended Practices Guide for Customers
Summary
Chapter 9 Software Transparency in Operational Technology
The Kinetic Effect of Software
Legacy Software Risks
Ladder Logic and Setpoints in Control Systems
ICS Attack Surface
Smart Grid
Summary
Chapter 10 Practical Guidance for Suppliers
Vulnerability Disclosure and Response PSIRT
Product Security Incident Response Team (PSIRT)
To Share or Not to Share and How Much Is Too Much?
Copyleft, Licensing Concerns, and “As-Is” Code
Open Source Program Offices
Consistency Across Product Teams
Manual Effort vs. Automation and Accuracy
Summary
Chapter 11 Practical Guidance for Consumers
Thinking Broad and Deep
Do I Really Need an SBOM?
What Do I Do with It?
Receiving and Managing SBOMs at Scale
Reducing the Noise
The Divergent Workflow—I Can’t Just Apply a Patch?
Preparation
Identification
Analysis
Virtual Patch Creation
Implementation and Testing
Recovery and Follow-up
Long-Term Thinking
Summary
Chapter 12 Software Transparency Predictions
Emerging Efforts, Regulations, and Requirements
The Power of the U.S. Government Supply Chains to Affect Markets
Acceleration of Supply Chain Attacks
The Increasing Connectedness of Our Digital World
What Comes Next?
Index
EULA