Software Transparency : Supply Chain Security in an Era of a Software-Driven Society

Software Transparency Supply Chain Security in an Era of a Software-Driven Society

Detalles Bibliográficos
Otros Autores: Hughes, Chris, author (author), Turner, Tony, author
Formato: Libro electrónico
Idioma:Inglés
Publicado: Hoboken, New Jersey : John Wiley & Sons, Inc [2023]
Materias:
Computer security.
Computer software.
Ver en Biblioteca Universitat Ramon Llull:https://discovery.url.edu/permalink/34CSUC_URL/1im36ta/alma991009752737906719
Tabla de Contenidos:
  • Cover
  • Title Page
  • Copyright Page
  • Contents at a Glance
  • Contents
  • Foreword
  • Introduction
  • What Does This Book Cover?
  • Who Will Benefit Most from This Book?
  • Special Features
  • Chapter 1 Background on Software Supply Chain Threats
  • Incentives for the Attacker
  • Threat Models
  • Threat Modeling Methodologies
  • Stride
  • Stride-LM
  • Open Worldwide Application Security Project (OWASP) Risk-Rating Methodology
  • DREAD
  • Using Attack Trees
  • Threat Modeling Process
  • Landmark Case 1: SolarWinds
  • Landmark Case 2: Log4j
  • Landmark Case 3: Kaseya
  • What Can We Learn from These Cases?
  • Summary
  • Chapter 2 Existing Approaches-Traditional Vendor Risk Management
  • Assessments
  • SDL Assessments
  • Application Security Maturity Models
  • Governance
  • Design
  • Implementation
  • Verification
  • Operations
  • Application Security Assurance
  • Static Application Security Testing
  • Dynamic Application Security Testing
  • Interactive Application Security Testing
  • Mobile Application Security Testing
  • Software Composition Analysis
  • Hashing and Code Signing
  • Summary
  • Chapter 3 Vulnerability Databases and Scoring Methodologies
  • Common Vulnerabilities and Exposures
  • National Vulnerability Database
  • Software Identity Formats
  • CPE
  • Software Identification Tagging
  • PURL
  • Sonatype OSS Index
  • Open Source Vulnerability Database
  • Global Security Database
  • Common Vulnerability Scoring System
  • Base Metrics
  • Temporal Metrics
  • Environmental Metrics
  • CVSS Rating Scale
  • Critiques
  • Exploit Prediction Scoring System
  • EPSS Model
  • EPSS Critiques
  • CISA's Take
  • Common Security Advisory Framework
  • Vulnerability Exploitability eXchange
  • Stakeholder-Specific Vulnerability Categorization and Known Exploited Vulnerabilities
  • Moving Forward
  • Summary
  • Chapter 4 Rise of Software Bill of Materials.
  • SBOM in Regulations: Failures and Successes
  • NTIA: Evangelizing the Need for SBOM
  • Industry Efforts: National Labs
  • SBOM Formats
  • Software Identification (SWID) Tags
  • CycloneDX
  • Software Package Data Exchange (SPDX)
  • Vulnerability Exploitability eXchange (VEX) and Vulnerability Disclosures
  • VEX Enters the Conversation
  • VEX: Adding Context and Clarity
  • VEX vs. VDR
  • Moving Forward
  • Using SBOM with Other Attestations
  • Source Authenticity
  • Build Attestations
  • Dependency Management and Verification
  • Sigstore
  • Adoption
  • Sigstore Components
  • Commit Signing
  • SBOM Critiques and Concerns
  • Visibility for the Attacker
  • Intellectual Property
  • Tooling and Operationalization
  • Summary
  • Chapter 5 Challenges in Software Transparency
  • Firmware and Embedded Software
  • Linux Firmware
  • Real-Time Operating System Firmware
  • Embedded Systems
  • Device-Specific SBOM
  • Open Source Software and Proprietary Code
  • User Software
  • Legacy Software
  • Secure Transport
  • Summary
  • Chapter 6 Cloud and Containerization
  • Shared Responsibility Model
  • Breakdown of the Shared Responsibility Model
  • Duties of the Shared Responsibility Model
  • The 4 Cs of Cloud Native Security
  • Containers
  • Kubernetes
  • Serverless Model
  • SaaSBOM and the Complexity of APIs
  • CycloneDX SaaSBOM
  • Tooling and Emerging Discussions
  • Usage in DevOps and DevSecOps
  • Summary
  • Chapter 7 Existing and Emerging Commercial Guidance
  • Supply Chain Levels for Software Artifacts
  • Google Graph for Understanding Artifact Composition
  • CIS Software Supply Chain Security Guide
  • Source Code
  • Build Pipelines
  • Dependencies
  • Artifacts
  • Deployment
  • CNCF's Software Supply Chain Best Practices
  • Securing the Source Code
  • Securing Materials
  • Securing Build Pipelines
  • Securing Artifacts
  • Securing Deployments.
  • CNCF's Secure Software Factory Reference Architecture
  • The Secure Software Factory Reference Architecture
  • Core Components
  • Management Components
  • Distribution Components
  • Variables and Functionality
  • Wrapping It Up
  • Microsoft's Secure Supply Chain Consumption Framework
  • S2C2F Practices
  • S2C2F Implementation Guide
  • OWASP Software Component Verification Standard
  • SCVS Levels
  • Level 1
  • Level 2
  • Level 3
  • Inventory
  • Software Bill of Materials
  • Build Environment
  • Package Management
  • Component Analysis
  • Pedigree and Provenance
  • Open Source Policy
  • OpenSSF Scorecard
  • Security Scorecards for Open Source Projects
  • How Can Organizations Make Use of the Scorecards Project?
  • The Path Ahead
  • Summary
  • Chapter 8 Existing and Emerging Government Guidance
  • Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations
  • Critical Software
  • Security Measures for Critical Software
  • Software Verification
  • Threat Modeling
  • Automated Testing
  • Code-Based or Static Analysis and Dynamic Testing
  • Review for Hard-Coded Secrets
  • Run with Language-Provided Checks and Protection
  • Black-Box Test Cases
  • Code-Based Test Cases
  • Historical Test Cases
  • Fuzzing
  • Web Application Scanning
  • Check Included Software Components
  • NIST's Secure Software Development Framework
  • SSDF Details
  • Prepare the Organization (PO)
  • Protect the Software (PS)
  • Produce Well-SecuredSoftware (PW)
  • Respond to Vulnerabilities (RV)
  • NSAs: Securing the Software Supply Chain Guidance Series
  • Security Guidance for Software Developers
  • Secure Product Criteria and Management
  • Develop Secure Code
  • Verify Third-PartyComponents
  • Harden the Build Environment
  • Deliver the Code
  • NSA Appendices
  • Recommended Practices Guide for Suppliers
  • Prepare the Organization
  • Protect the Software.
  • Produce Well-Secured Software
  • Respond to Vulnerabilities
  • Recommended Practices Guide for Customers
  • Summary
  • Chapter 9 Software Transparency in Operational Technology
  • The Kinetic Effect of Software
  • Legacy Software Risks
  • Ladder Logic and Setpoints in Control Systems
  • ICS Attack Surface
  • Smart Grid
  • Summary
  • Chapter 10 Practical Guidance for Suppliers
  • Vulnerability Disclosure and Response PSIRT
  • Product Security Incident Response Team (PSIRT)
  • To Share or Not to Share and How Much Is Too Much?
  • Copyleft, Licensing Concerns, and "As-Is" Code
  • Open Source Program Offices
  • Consistency Across Product Teams
  • Manual Effort vs. Automation and Accuracy
  • Summary
  • Chapter 11 Practical Guidance for Consumers
  • Thinking Broad and Deep
  • Do I Really Need an SBOM?
  • What Do I Do with It?
  • Receiving and Managing SBOMs at Scale
  • Reducing the Noise
  • The Divergent Workflow-I Can't Just Apply a Patch?
  • Preparation
  • Identification
  • Analysis
  • Virtual Patch Creation
  • Implementation and Testing
  • Recovery and Follow-up
  • Long-Term Thinking
  • Summary
  • Chapter 12 Software Transparency Predictions
  • Emerging Efforts, Regulations, and Requirements
  • The Power of the U.S. Government Supply Chains to Affect Markets
  • Acceleration of Supply Chain Attacks
  • The Increasing Connectedness of Our Digital World
  • What Comes Next?
  • Index
  • EULA.

Ejemplares similares