Software Supply Chain Security

Software Supply Chain Security

by Cassie Crossley
Released February 2024
Publisher(s): O'Reilly Media, Inc.
ISBN: 9781098133702

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Buy on Amazon Buy on ebooks.com
Start your free trial

Book description

Trillions of lines of code help us in our lives, companies, and organizations. But just a single software cybersecurity vulnerability can stop entire companies from doing business and cause billions of dollars in revenue loss and business recovery. Securing the creation and deployment of software, also known as software supply chain security, goes well beyond the software development process.

This practical book gives you a comprehensive look at security risks and identifies the practical controls you need to incorporate into your end-to-end software supply chain. Author Cassie Crossley demonstrates how and why everyone involved in the supply chain needs to participate if your organization is to improve the security posture of its software, firmware, and hardware.

With this book, you'll learn how to:

  • Pinpoint the cybersecurity risks in each part of your organization's software supply chain
  • Identify the roles that participate in the supply chain—including IT, development, operations, manufacturing, and procurement
  • Design initiatives and controls for each part of the supply chain using existing frameworks and references
  • Implement secure development lifecycle, source code security, software build management, and software transparency practices
  • Evaluate third-party risk in your supply chain

Publisher resources

View/Submit Errata

Table of contents

  1. Foreword
  2. Preface
    1. Who Should Read This Book
    2. Why I Wrote This Book
    3. Navigating This Book
    4. Conventions Used in This Book
    5. O’Reilly Online Learning
    6. How to Contact Us
    7. Acknowledgments
  3. 1. Supply Chain Security
    1. Supply Chain Definitions
    2. Software Supply Chain Security Impacts
    3. Requirements, Laws, Regulations, and Directives
    4. Summary
  4. 2. Supply Chain Frameworks and Standards
    1. Technology Risk Management Frameworks
      1. NIST SP 800-37 Risk Management Framework (RMF)
      2. ISO 31000:2018 Risk Management
      3. Control Objectives for Information and Related Technologies (COBIT®) 2019
      4. NIST Cybersecurity Framework (CSF)
    2. Supply Chain Frameworks and Standards
      1. NIST SP 800-161 Cybersecurity Supply Chain Risk Management for Systems and Organizations
      2. UK Supplier Assurance Framework
      3. MITRE System of Trust™ (SoT) Framework
      4. ISO/IEC 20243-1:2023 Open Trusted Technology Provider Standard
      5. SCS 9001 Supply Chain Security Standard
      6. ISO 28000:2022 Security and Resilience
      7. ISO/IEC 27036 Information Security for Supplier Relationships
    3. Framework and Standards Considerations Summary
    4. Summary
  5. 3. Infrastructure Security in the Product Lifecycle
    1. Developer Environments
    2. Code Repositories and Build Platforms
    3. Development Tools
    4. Labs and Test Environments
    5. Preproduction and Production Environments
    6. Software Distribution and Deployment Locations
    7. Manufacturing and Supply Chain Environments
    8. Customer Staging for Acceptance Tests
    9. Service Systems and Tools
    10. Summary
  6. 4. Secure Development Lifecycle
    1. Key Elements of an SDL
      1. Security Requirements
      2. Secure Design
      3. Secure Development
      4. Security Testing
      5. Vulnerability Management
    2. Augmenting an SDLC with SDL
      1. ISA/IEC 62443-4-1 Secure Development Lifecycle
      2. NIST SSDF
      3. Microsoft SDL
      4. ISO/IEC 27034 Application Security
      5. SAFECode
      6. SDL Considerations for IoT, OT, and Embedded Systems
    3. Product and Application Security Metrics
    4. Summary
  7. 5. Source Code, Build, and Deployment Management
    1. Source Code Types
      1. Open Source
      2. Commercial
      3. Proprietary
      4. Operating Systems and Frameworks
      5. Low-Code/No-Code
      6. Generative AI Source Code
    2. Code Quality
      1. Secure Coding Standards
      2. Software Analysis Technologies
      3. Code Reviews
    3. Source Code Integrity
      1. Change Management
      2. Trusted Source Code
      3. Trusted Dependencies
    4. Build Management
      1. Authentication and Authorization
      2. Build Scripts and Automation
      3. Repeatability and Reproducibility
      4. Code Signing
    5. Deployment Management
    6. Summary
  8. 6. Cloud and DevSecOps
    1. Cloud Frameworks, Controls, and Assessments
      1. ISO/IEC 27001 Information Security Management Systems
      2. Cloud Security Alliance CCM and CAIQ
      3. Cloud Security Alliance STAR Program
      4. American Institute of CPAs SOC 2
      5. US FedRAMP
      6. Cloud Security Considerations and Requirements
    2. DevSecOps
      1. Change Management for Cloud
      2. Secure Design and Development for Cloud Applications
      3. API Security
      4. Testing
      5. Deploying Immutable Infrastructure and Applications
      6. Securing Connections
      7. Operating and Monitoring
      8. Site Reliability Engineering
    3. Summary
  9. 7. Intellectual Property and Data
    1. Data Classification
    2. People
    3. Technology
      1. Data Security
      2. Loss of Code, Keys, and Secrets
      3. Design Flaws
      4. Configuration Errors
      5. Application Programming Interfaces (APIs)
      6. Vulnerabilities
    4. Summary
  10. 8. Software Transparency
    1. Software Transparency Use Cases
    2. Software Bill of Materials (SBOM)
      1. SBOM Formats
      2. SBOM Elements
      3. SBOM Limitations
      4. Additional Bill of Materials (BOMs)
    3. Vulnerability Disclosures
    4. Additional Transparency Approaches
      1. US CISA Secure Software Development Attestation Common Form
      2. Supply Chain Integrity, Transparency, and Trust (SCITT)
      3. Digital Bill of Materials and Sharing Mechanisms
      4. Graph of Understanding Artifact Composition (GUAC)
      5. In-Toto Attestation
      6. Software Provenance
      7. Practices and Technology
    5. Summary
  11. 9. Suppliers
    1. Cyber Assessments
      1. Assessment Responses
      2. Research
      3. IT Security Including Environmental Security
      4. Product/Application Security Organization
      5. Product Security Processes and Secure Development Lifecycle
      6. Training
      7. Secure Development and Security Testing
      8. Build Management, DevSecOps, and Release Management
      9. Scanning, Vulnerability Management, Patching, and SLAs
      10. Cloud Applications and Environments
      11. Development Services
      12. Manufacturing
    2. Cyber Agreements, Contracts, and Addendums
    3. Ongoing Supplier Management
      1. Monitoring
      2. Supplier Reviews
      3. Right to Audit and Assess
    4. Summary
  12. 10. Manufacturing and Device Security
    1. Suppliers and Manufacturing Security
      1. Equipment, Systems, and Network Security Configurations
      2. Physical Security
    2. Code, Software, and Firmware Integrity
      1. Tests for Integrity
      2. Counterfeits
    3. Chain of Custody
    4. Device Protection Measures
      1. Firmware Public Key Infrastructure (PKI)
      2. Hardware Root of Trust
      3. Secure Boot
      4. Secure Element
      5. Device Authentication
    5. Summary
  13. 11. People in the Software Supply Chain
    1. Cybersecurity Organizational Structures
    2. Security Champions
    3. Cybersecurity Awareness and Training
    4. Development Team
      1. Secure Development Lifecycle (SDL)
      2. Source Code Management
      3. DevSecOps and Cloud
      4. Capture-the-Flag Events
    5. Third-Party Suppliers
    6. Manufacturing and Distribution
    7. Customer Projects and Field Services
    8. End Users
    9. Summary
  14. Appendix. Security Controls
    1. Infrastructure Security Controls
    2. Secure Development Lifecycle Controls
    3. Source Code, Build, and Deployment Controls
    4. Cloud Controls
    5. Intellectual Property and Data Controls
    6. Software Transparency Controls
    7. Supplier Controls
    8. Manufacturing and Device Security Controls
    9. People Controls
  15. Index
  16. About the Author

Product information

  • Title: Software Supply Chain Security
  • Author(s): Cassie Crossley
  • Release date: February 2024
  • Publisher(s): O'Reilly Media, Inc.
  • ISBN: 9781098133702