book

Software Transparency

Name: Software Transparency
ISBN: 9781394158485

by Chris Hughes, Tony Turner, Allan Friedman, Steve Springett

June 2023

Intermediate to advanced

336 pages

10h 12m

English

Wiley

Read now

Unlock full access

Cover
Title Page
Foreword
Introduction
What Does This Book Cover?Who Will Benefit Most from This Book?Special Features
CHAPTER 1: Background on Software Supply Chain Threats
Incentives for the AttackerThreat ModelsLandmark Case 1: SolarWindsLandmark Case 2: Log4jLandmark Case 3: KaseyaWhat Can We Learn from These Cases?Summary
CHAPTER 2: Existing Approaches—Traditional Vendor Risk Management
AssessmentsSDL AssessmentsApplication Security Maturity ModelsApplication Security AssuranceHashing and Code SigningSummary
CHAPTER 3: Vulnerability Databases and Scoring Methodologies
Common Vulnerabilities and ExposuresNational Vulnerability DatabaseSoftware Identity FormatsSonatype OSS IndexOpen Source Vulnerability DatabaseGlobal Security DatabaseCommon Vulnerability Scoring SystemExploit Prediction Scoring SystemEPSS ModelEPSS CritiquesCISA's TakeMoving ForwardSummary
CHAPTER 4: Rise of Software Bill of Materials
SBOM in Regulations: Failures and SuccessesIndustry Efforts: National LabsSBOM FormatsMoving ForwardUsing SBOM with Other AttestationsSummary
CHAPTER 5: Challenges in Software Transparency
Firmware and Embedded SoftwareOpen Source Software and Proprietary CodeUser SoftwareLegacy SoftwareSecure TransportSummary
CHAPTER 6: Cloud and Containerization
Shared Responsibility ModelThe 4 Cs of Cloud Native SecurityContainersKubernetesServerless ModelSaaSBOM and the Complexity of APIsUsage in DevOps and DevSecOpsSummary

CHAPTER 7: Existing and Emerging Commercial Guidance
Supply Chain Levels for Software ArtifactsGoogle Graph for Understanding Artifact CompositionCIS Software Supply Chain Security GuideCNCF's Software Supply Chain Best PracticesCNCF's Secure Software Factory Reference ArchitectureMicrosoft's Secure Supply Chain Consumption FrameworkS2C2F PracticesS2C2F Implementation GuideOWASP Software Component Verification StandardOpenSSF ScorecardThe Path AheadSummary
CHAPTER 8: Existing and Emerging Government Guidance
Cybersecurity Supply Chain Risk Management Practices for Systems and OrganizationsSoftware VerificationNIST's Secure Software Development FrameworkNSAs: Securing the Software Supply Chain Guidance SeriesNSA AppendicesRecommended Practices Guide for SuppliersRecommended Practices Guide for CustomersSummary
CHAPTER 9: Software Transparency in Operational Technology
The Kinetic Effect of SoftwareLegacy Software RisksLadder Logic and Setpoints in Control SystemsICS Attack SurfaceSmart GridSummary
CHAPTER 10: Practical Guidance for Suppliers
Vulnerability Disclosure and Response PSIRTProduct Security Incident Response Team (PSIRT)To Share or Not to Share and How Much Is Too Much?Copyleft, Licensing Concerns, and “As-Is” CodeOpen Source Program OfficesConsistency Across Product TeamsManual Effort vs. Automation and AccuracySummary
CHAPTER 11: Practical Guidance for Consumers
Thinking Broad and DeepDo I Really Need an SBOM?What Do I Do with It?Receiving and Managing SBOMs at ScaleReducing the NoiseThe Divergent Workflow—I Can't Just Apply a Patch?Summary
CHAPTER 12: Software Transparency Predictions
Emerging Efforts, Regulations, and RequirementsThe Power of the U.S. Government Supply Chains to Affect MarketsAcceleration of Supply Chain AttacksThe Increasing Connectedness of Our Digital WorldWhat Comes Next?
Index
Copyright
Dedication
About the Authors
About the Technical Editor
Acknowledgments
End User License Agreement

Content preview from Software Transparency

WILEY END USER LICENSE AGREEMENT

Go to www.wiley.com/go/eula to access Wiley’s ebook EULA.

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781394158485Purchase Link

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Software Transparency

by Chris Hughes, Tony Turner, Allan Friedman, Steve Springett

WILEY END USER LICENSE AGREEMENT

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.