Software Transparency : Supply Chain Security in an Era of a Software-Driven Society / Chris Hughes, Tony Turner.

Format:

Book

Author/Creator:

Hughes, Chris, author.

Turner, Tony, author.

Language:

English

Subjects (All):

Computer security.

Computer software.

Physical Description:

1 online resource (332 pages)

Place of Publication:

Hoboken, New Jersey : John Wiley & Sons, Inc., [2023]

Summary:

Discover the new cybersecurity landscape of the interconnected software supply chain In Software Transparency: Supply Chain Security in an Era of a Software-Driven Society, a team of veteran information security professionals delivers an expert treatment of software supply chain security. In the book, you'll explore real-world examples and guidance on how to defend your own organization against internal and external attacks. It includes coverage of topics including the history of the software transparency movement, software bills of materials, and high assurance attestations. The authors examine the background of attack vectors that are becoming increasingly vulnerable, like mobile and social networks, retail and banking systems, and infrastructure and defense systems. You'll also discover: Use cases and practical guidance for both software consumers and suppliers Discussions of firmware and embedded software, as well as cloud and connected APIs Strategies for understanding federal and defense software supply chain initiatives related to security An essential resource for cybersecurity and application security professionals, Software Transparency will also be of extraordinary benefit to industrial control system, cloud, and mobile security professionals.

Contents:

Cover

Title Page

Copyright Page

Contents at a Glance

Contents

Foreword

Introduction

What Does This Book Cover?

Who Will Benefit Most from This Book?

Special Features

Chapter 1 Background on Software Supply Chain Threats

Incentives for the Attacker

Threat Models

Threat Modeling Methodologies

Stride

Stride-LM

Open Worldwide Application Security Project (OWASP) Risk-Rating Methodology

DREAD

Using Attack Trees

Threat Modeling Process

Landmark Case 1: SolarWinds

Landmark Case 2: Log4j

Landmark Case 3: Kaseya

What Can We Learn from These Cases?

Summary

Chapter 2 Existing Approaches-Traditional Vendor Risk Management

Assessments

SDL Assessments

Application Security Maturity Models

Governance

Design

Implementation

Verification

Operations

Application Security Assurance

Static Application Security Testing

Dynamic Application Security Testing

Interactive Application Security Testing

Mobile Application Security Testing

Software Composition Analysis

Hashing and Code Signing

Chapter 3 Vulnerability Databases and Scoring Methodologies

Common Vulnerabilities and Exposures

National Vulnerability Database

Software Identity Formats

CPE

Software Identification Tagging

PURL

Sonatype OSS Index

Open Source Vulnerability Database

Global Security Database

Common Vulnerability Scoring System

Base Metrics

Temporal Metrics

Environmental Metrics

CVSS Rating Scale

Critiques

Exploit Prediction Scoring System

EPSS Model

EPSS Critiques

CISA's Take

Common Security Advisory Framework

Vulnerability Exploitability eXchange

Stakeholder-Specific Vulnerability Categorization and Known Exploited Vulnerabilities

Moving Forward

Chapter 4 Rise of Software Bill of Materials.

SBOM in Regulations: Failures and Successes

NTIA: Evangelizing the Need for SBOM

Industry Efforts: National Labs

SBOM Formats

Software Identification (SWID) Tags

CycloneDX

Software Package Data Exchange (SPDX)

Vulnerability Exploitability eXchange (VEX) and Vulnerability Disclosures

VEX Enters the Conversation

VEX: Adding Context and Clarity

VEX vs. VDR

Using SBOM with Other Attestations

Source Authenticity

Build Attestations

Dependency Management and Verification

Sigstore

Adoption

Sigstore Components

Commit Signing

SBOM Critiques and Concerns

Visibility for the Attacker

Intellectual Property

Tooling and Operationalization

Chapter 5 Challenges in Software Transparency

Firmware and Embedded Software

Linux Firmware

Real-Time Operating System Firmware

Embedded Systems

Device-Specific SBOM

Open Source Software and Proprietary Code

User Software

Legacy Software

Secure Transport

Chapter 6 Cloud and Containerization

Shared Responsibility Model

Breakdown of the Shared Responsibility Model

Duties of the Shared Responsibility Model

The 4 Cs of Cloud Native Security

Containers

Kubernetes

Serverless Model

SaaSBOM and the Complexity of APIs

CycloneDX SaaSBOM

Tooling and Emerging Discussions

Usage in DevOps and DevSecOps

Chapter 7 Existing and Emerging Commercial Guidance

Supply Chain Levels for Software Artifacts

Google Graph for Understanding Artifact Composition

CIS Software Supply Chain Security Guide

Source Code

Build Pipelines

Dependencies

Artifacts

Deployment

CNCF's Software Supply Chain Best Practices

Securing the Source Code

Securing Materials

Securing Build Pipelines

Securing Artifacts

Securing Deployments.

CNCF's Secure Software Factory Reference Architecture

The Secure Software Factory Reference Architecture

Core Components

Management Components

Distribution Components

Variables and Functionality

Wrapping It Up

Microsoft's Secure Supply Chain Consumption Framework

S2C2F Practices

S2C2F Implementation Guide

OWASP Software Component Verification Standard

SCVS Levels

Level 1

Level 2

Level 3

Inventory

Software Bill of Materials

Build Environment

Package Management

Component Analysis

Pedigree and Provenance

Open Source Policy

OpenSSF Scorecard

Security Scorecards for Open Source Projects

How Can Organizations Make Use of the Scorecards Project?

The Path Ahead

Chapter 8 Existing and Emerging Government Guidance

Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations

Critical Software

Security Measures for Critical Software

Software Verification

Threat Modeling

Automated Testing

Code-Based or Static Analysis and Dynamic Testing

Review for Hard-Coded Secrets

Run with Language-Provided Checks and Protection

Black-Box Test Cases

Code-Based Test Cases

Historical Test Cases

Fuzzing

Web Application Scanning

Check Included Software Components

NIST's Secure Software Development Framework

SSDF Details

Prepare the Organization (PO)

Protect the Software (PS)

Produce Well-SecuredSoftware (PW)

Respond to Vulnerabilities (RV)

NSAs: Securing the Software Supply Chain Guidance Series

Security Guidance for Software Developers

Secure Product Criteria and Management

Develop Secure Code

Verify Third-PartyComponents

Harden the Build Environment

Deliver the Code

NSA Appendices

Recommended Practices Guide for Suppliers

Prepare the Organization

Protect the Software.

Produce Well-Secured Software

Respond to Vulnerabilities

Recommended Practices Guide for Customers

Chapter 9 Software Transparency in Operational Technology

The Kinetic Effect of Software

Legacy Software Risks

Ladder Logic and Setpoints in Control Systems

ICS Attack Surface

Smart Grid

Chapter 10 Practical Guidance for Suppliers

Vulnerability Disclosure and Response PSIRT

Product Security Incident Response Team (PSIRT)

To Share or Not to Share and How Much Is Too Much?

Copyleft, Licensing Concerns, and "As-Is" Code

Open Source Program Offices

Consistency Across Product Teams

Manual Effort vs. Automation and Accuracy

Chapter 11 Practical Guidance for Consumers

Thinking Broad and Deep

Do I Really Need an SBOM?

What Do I Do with It?

Receiving and Managing SBOMs at Scale

Reducing the Noise

The Divergent Workflow-I Can't Just Apply a Patch?

Preparation

Identification

Analysis

Virtual Patch Creation

Implementation and Testing

Recovery and Follow-up

Long-Term Thinking

Chapter 12 Software Transparency Predictions

Emerging Efforts, Regulations, and Requirements

The Power of the U.S. Government Supply Chains to Affect Markets

Acceleration of Supply Chain Attacks

The Increasing Connectedness of Our Digital World

What Comes Next?

Index

EULA.

Notes:

Description based on print version record.

Includes bibliographical references and index.

ISBN:

9781394158508

1394158505

OCLC:

1378391810