In Software Transparency: Supply Chain Security in an Era of a Software-Driven Society, a team of veteran information security professionals delivers an expert treatment of software supply chain security. In the book, you’ll explore real-world examples and guidance on how to defend your own organization against internal and external attacks. It includes coverage of topics including the history of the software transparency movement, software bills of materials, and high assurance attestations.
The authors examine the background of attack vectors that are becoming increasingly vulnerable, like mobile and social networks, retail and banking systems, and infrastructure and defense systems. You’ll also discover: - Use cases and practical guidance for both software consumers and suppliers - Discussions of firmware and embedded software, as well as cloud and connected APIs - Strategies for understanding federal and defense software supply chain initiatives related to security
An essential resource for cybersecurity and application security professionals, Software Transparency will also be of extraordinary benefit to industrial control system, cloud, and mobile security professionals.
Table of Contents
Foreword xxi
Introduction xxv
Chapter 1 Background on Software Supply Chain Threats 1
Incentives for the Attacker 1
Threat Models 2
Threat Modeling Methodologies 3
Stride 3
Stride- LM 4
Open Worldwide Application Security Project (OWASP) Risk- Rating Methodology 4
Dread 5
Using Attack Trees 5
Threat Modeling Process 6
Landmark Case 1: SolarWinds 14
Landmark Case 2: Log4j 18
Landmark Case 3: Kaseya 21
What Can We Learn from These Cases? 23
Summary 24
Chapter 2 Existing Approaches - Traditional Vendor Risk Management 25
Assessments 25
SDL Assessments 28
Application Security Maturity Models 29
Governance 30
Design 30
Implementation 31
Verification 31
Operations 32
Application Security Assurance 32
Static Application Security Testing 33
Dynamic Application Security Testing 34
Interactive Application Security Testing 35
Mobile Application Security Testing 36
Software Composition Analysis 36
Hashing and Code Signing 37
Summary 39
Chapter 3 Vulnerability Databases and Scoring Methodologies 41
Common Vulnerabilities and Exposures 41
National Vulnerability Database 44
Software Identity Formats 46
Cpe 46
Software Identification Tagging 47
Purl 49
Sonatype OSS Index 50
Open Source Vulnerability Database 51
Global Security Database 52
Common Vulnerability Scoring System 54
Base Metrics 55
Temporal Metrics 57
Environmental Metrics 58
CVSS Rating Scale 58
Critiques 59
Exploit Prediction Scoring System 59
EPSS Model 60
EPSS Critiques 62
CISA’s Take 63
Common Security Advisory Framework 63
Vulnerability Exploitability eXchange 64
Stakeholder- Specific Vulnerability Categorization and Known Exploited Vulnerabilities 65
Moving Forward 69
Summary 70
Chapter 4 Rise of Software Bill of Materials 71
SBOM in Regulations: Failures and Successes 71
NTIA: Evangelizing the Need for SBOM 72
Industry Efforts: National Labs 77
SBOM Formats 78
Software Identification (SWID) Tags 79
CycloneDX 80
Software Package Data Exchange (SPDX) 81
Vulnerability Exploitability eXchange (VEX) and Vulnerability Disclosures 82
VEX Enters the Conversation 83
VEX: Adding Context and Clarity 84
VEX vs. VDR 85
Moving Forward 88
Using SBOM with Other Attestations 89
Source Authenticity 89
Build Attestations 90
Dependency Management and Verification 90
Sigstore 92
Adoption 93
Sigstore Components 93
Commit Signing 95
SBOM Critiques and Concerns 95
Visibility for the Attacker 96
Intellectual Property 97
Tooling and Operationalization 97
Summary 98
Chapter 5 Challenges in Software Transparency 99
Firmware and Embedded Software 99
Linux Firmware 99
Real- Time Operating System Firmware 100
Embedded Systems 100
Device- Specific SBOM 100
Open Source Software and Proprietary Code 101
User Software 105
Legacy Software 106
Secure Transport 107
Summary 108
Chapter 6 Cloud and Containerization 111
Shared Responsibility Model 112
Breakdown of the Shared Responsibility Model 112
Duties of the Shared Responsibility Model 112
The 4 Cs of Cloud Native Security 116
Containers 118
Kubernetes 123
Serverless Model 128
SaaSBOM and the Complexity of APIs 129
CycloneDX SaaSBOM 130
Tooling and Emerging Discussions 132
Usage in DevOps and DevSecOps 132
Summary 135
Chapter 7 Existing and Emerging Commercial Guidance 137
Supply Chain Levels for Software Artifacts 137
Google Graph for Understanding Artifact Composition 141
CIS Software Supply Chain Security Guide 144
Source Code 145
Build Pipelines 146
Dependencies 148
Artifacts 148
Deployment 149
CNCF’s Software Supply Chain Best Practices 150
Securing the Source Code 152
Securing Materials 154
Securing Build Pipelines 155
Securing Artifacts 157
Securing Deployments 157
CNCF’s Secure Software Factory Reference Architecture 157
The Secure Software Factory Reference Architecture 158
Core Components 159
Management Components 160
Distribution Components 160
Variables and Functionality 160
Wrapping It Up 161
Microsoft’s Secure Supply Chain Consumption Framework 161
S2C2F Practices 163
S2C2F Implementation Guide 166
OWASP Software Component Verification Standard 167
SCVS Levels 168
Level 1 168
Level 2 169
Level 3 169
Inventory 169
Software Bill of Materials 170
Build Environment 171
Package Management 171
Component Analysis 173
Pedigree and Provenance 173
Open Source Policy 174
OpenSSF Scorecard 175
Security Scorecards for Open Source Projects 175
How Can Organizations Make Use of the Scorecards Project? 177
The Path Ahead 178
Summary 178
Chapter 8 Existing and Emerging Government Guidance 179
Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations 179
Critical Software 181
Security Measures for Critical Software 182
Software Verification 186
Threat Modeling 187
Automated Testing 187
Code- Based or Static Analysis and Dynamic Testing 188
Review for Hard-Coded Secrets 188
Run with Language- Provided Checks and Protection 189
Black- Box Test Cases 189
Code- Based Test Cases 189
Historical Test Cases 189
Fuzzing 190
Web Application Scanning 190
Check Included Software Components 190
NIST’s Secure Software Development Framework 191
SSDF Details 192
Prepare the Organization (PO) 193
Protect the Software (PS) 194
Produce Well- Secured Software (PW) 194
Respond to Vulnerabilities (RV) 196
NSAs: Securing the Software Supply Chain Guidance Series 197
Security Guidance for Software Developers 197
Secure Product Criteria and Management 199
Develop Secure Code 202
Verify Third- Party Components 204
Harden the Build Environment 206
Deliver the Code 207
NSA Appendices 207
Recommended Practices Guide for Suppliers 209
Prepare the Organization 209
Protect the Software 210
Produce Well- Secured Software 211
Respond to Vulnerabilities 213
Recommended Practices Guide for Customers 214
Summary 218
Chapter 9 Software Transparency in Operational Technology 219
The Kinetic Effect of Software 220
Legacy Software Risks 222
Ladder Logic and Setpoints in Control Systems 223
ICS Attack Surface 225
Smart Grid 227
Summary 228
Chapter 10 Practical Guidance for Suppliers 229
Vulnerability Disclosure and Response PSIRT 229
Product Security Incident Response Team (PSIRT) 231
To Share or Not to Share and How Much Is Too Much? 236
Copyleft, Licensing Concerns, and “As- Is” Code 238
Open Source Program Offices 240
Consistency Across Product Teams 242
Manual Effort vs. Automation and Accuracy 243
Summary 244
Chapter 11 Practical Guidance for Consumers 245
Thinking Broad and Deep 245
Do I Really Need an SBOM? 246
What Do I Do with It? 250
Receiving and Managing SBOMs at Scale 251
Reducing the Noise 253
The Divergent Workflow - I Can’t Just Apply a Patch? 254
Preparation 256
Identification 256
Analysis 257
Virtual Patch Creation 257
Implementation and Testing 258
Recovery and Follow- up 258
Long- Term Thinking 259
Summary 259
Chapter 12 Software Transparency Predictions 261
Emerging Efforts, Regulations, and Requirements 261
The Power of the U.S. Government Supply Chains to Affect Markets 267
Acceleration of Supply Chain Attacks 270
The Increasing Connectedness of Our Digital World 272
What Comes Next? 275
Index 283