Software Transparency

Book description

Discover the new cybersecurity landscape of the interconnected software supply chain

In Software Transparency: Supply Chain Security in an Era of a Software-Driven Society, a team of veteran information security professionals delivers an expert treatment of software supply chain security. In the book, you’ll explore real-world examples and guidance on how to defend your own organization against internal and external attacks. It includes coverage of topics including the history of the software transparency movement, software bills of materials, and high assurance attestations.

The authors examine the background of attack vectors that are becoming increasingly vulnerable, like mobile and social networks, retail and banking systems, and infrastructure and defense systems. You’ll also discover:

  • Use cases and practical guidance for both software consumers and suppliers
  • Discussions of firmware and embedded software, as well as cloud and connected APIs
  • Strategies for understanding federal and defense software supply chain initiatives related to security

An essential resource for cybersecurity and application security professionals, Software Transparency will also be of extraordinary benefit to industrial control system, cloud, and mobile security professionals.

Table of contents

  1. Cover
  2. Title Page
  3. Foreword
  4. Introduction
    1. What Does This Book Cover?
    2. Who Will Benefit Most from This Book?
    3. Special Features
  5. CHAPTER 1: Background on Software Supply Chain Threats
    1. Incentives for the Attacker
    2. Threat Models
    3. Landmark Case 1: SolarWinds
    4. Landmark Case 2: Log4j
    5. Landmark Case 3: Kaseya
    6. What Can We Learn from These Cases?
    7. Summary
  6. CHAPTER 2: Existing Approaches—Traditional Vendor Risk Management
    1. Assessments
    2. SDL Assessments
    3. Application Security Maturity Models
    4. Application Security Assurance
    5. Hashing and Code Signing
    6. Summary
  7. CHAPTER 3: Vulnerability Databases and Scoring Methodologies
    1. Common Vulnerabilities and Exposures
    2. National Vulnerability Database
    3. Software Identity Formats
    4. Sonatype OSS Index
    5. Open Source Vulnerability Database
    6. Global Security Database
    7. Common Vulnerability Scoring System
    8. Exploit Prediction Scoring System
    9. EPSS Model
    10. EPSS Critiques
    11. CISA's Take
    12. Moving Forward
    13. Summary
  8. CHAPTER 4: Rise of Software Bill of Materials
    1. SBOM in Regulations: Failures and Successes
    2. Industry Efforts: National Labs
    3. SBOM Formats
    4. Moving Forward
    5. Using SBOM with Other Attestations
    6. Summary
  9. CHAPTER 5: Challenges in Software Transparency
    1. Firmware and Embedded Software
    2. Open Source Software and Proprietary Code
    3. User Software
    4. Legacy Software
    5. Secure Transport
    6. Summary
  10. CHAPTER 6: Cloud and Containerization
    1. Shared Responsibility Model
    2. The 4 Cs of Cloud Native Security
    3. Containers
    4. Kubernetes
    5. Serverless Model
    6. SaaSBOM and the Complexity of APIs
    7. Usage in DevOps and DevSecOps
    8. Summary
  11. CHAPTER 7: Existing and Emerging Commercial Guidance
    1. Supply Chain Levels for Software Artifacts
    2. Google Graph for Understanding Artifact Composition
    3. CIS Software Supply Chain Security Guide
    4. CNCF's Software Supply Chain Best Practices
    5. CNCF's Secure Software Factory Reference Architecture
    6. Microsoft's Secure Supply Chain Consumption Framework
    7. S2C2F Practices
    8. S2C2F Implementation Guide
    9. OWASP Software Component Verification Standard
    10. OpenSSF Scorecard
    11. The Path Ahead
    12. Summary
  12. CHAPTER 8: Existing and Emerging Government Guidance
    1. Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations
    2. Software Verification
    3. NIST's Secure Software Development Framework
    4. NSAs: Securing the Software Supply Chain Guidance Series
    5. NSA Appendices
    6. Recommended Practices Guide for Suppliers
    7. Recommended Practices Guide for Customers
    8. Summary
  13. CHAPTER 9: Software Transparency in Operational Technology
    1. The Kinetic Effect of Software
    2. Legacy Software Risks
    3. Ladder Logic and Setpoints in Control Systems
    4. ICS Attack Surface
    5. Smart Grid
    6. Summary
  14. CHAPTER 10: Practical Guidance for Suppliers
    1. Vulnerability Disclosure and Response PSIRT
    2. Product Security Incident Response Team (PSIRT)
    3. To Share or Not to Share and How Much Is Too Much?
    4. Copyleft, Licensing Concerns, and “As-Is” Code
    5. Open Source Program Offices
    6. Consistency Across Product Teams
    7. Manual Effort vs. Automation and Accuracy
    8. Summary
  15. CHAPTER 11: Practical Guidance for Consumers
    1. Thinking Broad and Deep
    2. Do I Really Need an SBOM?
    3. What Do I Do with It?
    4. Receiving and Managing SBOMs at Scale
    5. Reducing the Noise
    6. The Divergent Workflow—I Can't Just Apply a Patch?
    7. Summary
  16. CHAPTER 12: Software Transparency Predictions
    1. Emerging Efforts, Regulations, and Requirements
    2. The Power of the U.S. Government Supply Chains to Affect Markets
    3. Acceleration of Supply Chain Attacks
    4. The Increasing Connectedness of Our Digital World
    5. What Comes Next?
  17. Index
  18. Copyright
  19. Dedication
  20. About the Authors
  21. About the Technical Editor
  22. Acknowledgments
  23. End User License Agreement

Product information

  • Title: Software Transparency
  • Author(s): Chris Hughes, Tony Turner, Allan Friedman, Steve Springett
  • Release date: June 2023
  • Publisher(s): Wiley
  • ISBN: 9781394158485