Software Transparency - Supply Chain Security in an Era of a Software-Driven Society

Read more

Discover the new cybersecurity landscape of the interconnected software supply chain
 
In Software Transparency: Supply Chain Security in an Era of a Software-Driven Society, a team of veteran information security professionals delivers an expert treatment of software supply chain security. In the book, you'll explore real-world examples and guidance on how to defend your own organization against internal and external attacks. It includes coverage of topics including the history of the software transparency movement, software bills of materials, and high assurance attestations.
 
The authors examine the background of attack vectors that are becoming increasingly vulnerable, like mobile and social networks, retail and banking systems, and infrastructure and defense systems. You'll also discover:
* Use cases and practical guidance for both software consumers and suppliers
* Discussions of firmware and embedded software, as well as cloud and connected APIs
* Strategies for understanding federal and defense software supply chain initiatives related to security
 
An essential resource for cybersecurity and application security professionals, Software Transparency will also be of extraordinary benefit to industrial control system, cloud, and mobile security professionals.

List of contents

Foreword xxi
 
Introduction xxv
 
Chapter 1 Background on Software Supply Chain Threats 1
 
Incentives for the Attacker 1
 
Threat Models 2
 
Threat Modeling Methodologies 3
 
Stride 3
 
Stride- LM 4
 
Open Worldwide Application Security Project (OWASP) Risk- Rating Methodology 4
 
Dread 5
 
Using Attack Trees 5
 
Threat Modeling Process 6
 
Landmark Case 1: SolarWinds 14
 
Landmark Case 2: Log4j 18
 
Landmark Case 3: Kaseya 21
 
What Can We Learn from These Cases? 23
 
Summary 24
 
Chapter 2 Existing Approaches-- Traditional Vendor Risk Management 25
 
Assessments 25
 
SDL Assessments 28
 
Application Security Maturity Models 29
 
Governance 30
 
Design 30
 
Implementation 31
 
Verification 31
 
Operations 32
 
Application Security Assurance 32
 
Static Application Security Testing 33
 
Dynamic Application Security Testing 34
 
Interactive Application Security Testing 35
 
Mobile Application Security Testing 36
 
Software Composition Analysis 36
 
Hashing and Code Signing 37
 
Summary 39
 
Chapter 3 Vulnerability Databases and Scoring Methodologies 41
 
Common Vulnerabilities and Exposures 41
 
National Vulnerability Database 44
 
Software Identity Formats 46
 
Cpe 46
 
Software Identification Tagging 47
 
Purl 49
 
Sonatype OSS Index 50
 
Open Source Vulnerability Database 51
 
Global Security Database 52
 
Common Vulnerability Scoring System 54
 
Base Metrics 55
 
Temporal Metrics 57
 
Environmental Metrics 58
 
CVSS Rating Scale 58
 
Critiques 59
 
Exploit Prediction Scoring System 59
 
EPSS Model 60
 
EPSS Critiques 62
 
CISA's Take 63
 
Common Security Advisory Framework 63
 
Vulnerability Exploitability eXchange 64
 
Stakeholder- Specific Vulnerability Categorization and Known Exploited Vulnerabilities 65
 
Moving Forward 69
 
Summary 70
 
Chapter 4 Rise of Software Bill of Materials 71
 
SBOM in Regulations: Failures and Successes 71
 
NTIA: Evangelizing the Need for SBOM 72
 
Industry Efforts: National Labs 77
 
SBOM Formats 78
 
Software Identification (SWID) Tags 79
 
CycloneDX 80
 
Software Package Data Exchange (SPDX) 81
 
Vulnerability Exploitability eXchange (VEX) and Vulnerability Disclosures 82
 
VEX Enters the Conversation 83
 
VEX: Adding Context and Clarity 84
 
VEX vs. VDR 85
 
Moving Forward 88
 
Using SBOM with Other Attestations 89
 
Source Authenticity 89
 
Build Attestations 90
 
Dependency Management and Verification 90
 
Sigstore 92
 
Adoption 93
 
Sigstore Components 93
 
Commit Signing 95
 
SBOM Critiques and Concerns 95
 
Visibility for the Attacker 96
 
Intellectual Property 97
 
Tooling and Operationalization 97
 
Summary 98
 
Chapter 5 Challenges in Software Transparency 99
 
Firmware and Embedded Software 99
 
Linux Firmware 99
 
Real- Time Operating System Firmware 100
 
Embedded Systems 100
 
Device- Specific SBOM 100
 
Open Source Software and Proprietary Code 101
 
User Software 105
 
Legacy Software 106
 
Secure Transport 107
 
Summary 108
 
Chapter 6

About the author

CHRIS HUGHES is the co-founder and Chief Information Security Officer of Aquia. He is an Adjunct Professor for M.S. Cybersecurity programs at Capitol Technology University and the University of Maryland Global Campus, and a co-host of the Resilient Cyber Podcast. TONY TURNER has 25 years' experience as a cybersecurity engineer, architect, consultant, executive, and community builder. He is the Founder of Opswright, a software company creating solutions for security engineering in critical infrastructure and leads the OWASP Orlando chapter.

Summary

Discover the new cybersecurity landscape of the interconnected software supply chain

In Software Transparency: Supply Chain Security in an Era of a Software-Driven Society, a team of veteran information security professionals delivers an expert treatment of software supply chain security. In the book, you'll explore real-world examples and guidance on how to defend your own organization against internal and external attacks. It includes coverage of topics including the history of the software transparency movement, software bills of materials, and high assurance attestations.

The authors examine the background of attack vectors that are becoming increasingly vulnerable, like mobile and social networks, retail and banking systems, and infrastructure and defense systems. You'll also discover:
* Use cases and practical guidance for both software consumers and suppliers
* Discussions of firmware and embedded software, as well as cloud and connected APIs
* Strategies for understanding federal and defense software supply chain initiatives related to security

An essential resource for cybersecurity and application security professionals, Software Transparency will also be of extraordinary benefit to industrial control system, cloud, and mobile security professionals.

Report

"Starting this book off with a proper threat model is precisely what's needed as a frame for such an important problem. Supply chain risk is complicated, it's changing quickly, and the defensive measures often involve multiple teams which drives up the complexity. The insights captured throughout this book are absolutely necessary for the state of software security today and having the proper context and frame of the problem space as you read it will help get the most of it."
--Robert Wood, CISO of Centers for Medicare and Medicaid (CMS)
 
"This is a very good book. It achieves something that I don't think anyone else has even attempted: provide an encyclopedic account of guidelines, best practices, regulations, and current efforts to secure the software supply chain. The best aspect of this book is that someone (like me) who is primarily involved with just one aspect of software supply chain security can benefit from a well-informed treatment of the subject from different aspects, yet still have a reference tool to return to later, when the need arises to learn about other topics within this already vast discipline."
--Tom Alrich