Merkzettel Warenkorb
Produktbild: Software Transparency

Software Transparency Supply Chain Security in an Era of a Software-Driven Society

32,99 €

inkl. gesetzl. MwSt., Versandkostenfrei

Lieferung nach Hause

Beschreibung

Produktdetails

Einband

Taschenbuch

Erscheinungsdatum

07.06.2023

Herausgeber

Steve Springett

Verlag

John Wiley & Sons Inc

Seitenzahl

336

Maße (L/B/H)

23,4/18,6/1,9 cm

Gewicht

640 g

Auflage

1. Auflage

Sprache

Englisch

ISBN

978-1-394-15848-5

Beschreibung

Rezension

"Starting this book off with a proper threat model is precisely what's needed as a frame for such an important problem. Supply chain risk is complicated, it's changing quickly, and the defensive measures often involve multiple teams which drives up the complexity. The insights captured throughout this book are absolutely necessary for the state of software security today and having the proper context and frame of the problem space as you read it will help get the most of it."
--Robert Wood, CISO of Centers for Medicare and Medicaid (CMS)
 
"This is a very good book. It achieves something that I don't think anyone else has even attempted: provide an encyclopedic account of guidelines, best practices, regulations, and current efforts to secure the software supply chain. The best aspect of this book is that someone (like me) who is primarily involved with just one aspect of software supply chain security can benefit from a well-informed treatment of the subject from different aspects, yet still have a reference tool to return to later, when the need arises to learn about other topics within this already vast discipline."
--Tom Alrich

Produktdetails

Einband

Taschenbuch

Erscheinungsdatum

07.06.2023

Herausgeber

Steve Springett

Verlag

John Wiley & Sons Inc

Seitenzahl

336

Maße (L/B/H)

23,4/18,6/1,9 cm

Gewicht

640 g

Auflage

1. Auflage

Sprache

Englisch

ISBN

978-1-394-15848-5

Herstelleradresse

Libri GmbH
Europaallee 1
36244 Bad Hersfeld
DE

Email: gpsr@libri.de

Kundinnen und Kunden meinen

0 Bewertungen

Informationen zu Bewertungen

Zur Abgabe einer Bewertung ist eine Anmeldung im Konto notwendig. Die Authentizität der Bewertungen wird von uns nicht überprüft. Wir behalten uns vor, Bewertungstexte, die unseren Richtlinien widersprechen, entsprechend zu kürzen oder zu löschen.

Die Bewertungen sind nach Format, Anzahl Sterne und Datum sortiert.

Verfassen Sie die erste Bewertung zu diesem Artikel

Helfen Sie anderen Kund*innen durch Ihre Meinung

Kundinnen und Kunden meinen

0 Bewertungen filtern
Die Leseprobe wird geladen.
  • Produktbild: Software Transparency

  • Foreword xxi

    Introduction xxv

    Chapter 1 Background on Software Supply Chain Threats 1

    Incentives for the Attacker 1

    Threat Models 2

    Threat Modeling Methodologies 3

    Stride 3

    Stride- LM 4

    Open Worldwide Application Security Project (OWASP) Risk- Rating Methodology 4

    Dread 5

    Using Attack Trees 5

    Threat Modeling Process 6

    Landmark Case 1: SolarWinds 14

    Landmark Case 2: Log4j 18

    Landmark Case 3: Kaseya 21

    What Can We Learn from These Cases? 23

    Summary 24

    Chapter 2 Existing Approaches- Traditional Vendor Risk Management 25

    Assessments 25

    SDL Assessments 28

    Application Security Maturity Models 29

    Governance 30

    Design 30

    Implementation 31

    Verification 31

    Operations 32

    Application Security Assurance 32

    Static Application Security Testing 33

    Dynamic Application Security Testing 34

    Interactive Application Security Testing 35

    Mobile Application Security Testing 36

    Software Composition Analysis 36

    Hashing and Code Signing 37

    Summary 39

    Chapter 3 Vulnerability Databases and Scoring Methodologies 41

    Common Vulnerabilities and Exposures 41

    National Vulnerability Database 44

    Software Identity Formats 46

    Cpe 46

    Software Identification Tagging 47

    Purl 49

    Sonatype OSS Index 50

    Open Source Vulnerability Database 51

    Global Security Database 52

    Common Vulnerability Scoring System 54

    Base Metrics 55

    Temporal Metrics 57

    Environmental Metrics 58

    CVSS Rating Scale 58

    Critiques 59

    Exploit Prediction Scoring System 59

    EPSS Model 60

    EPSS Critiques 62

    CISA's Take 63

    Common Security Advisory Framework 63

    Vulnerability Exploitability eXchange 64

    Stakeholder- Specific Vulnerability Categorization and Known Exploited Vulnerabilities 65

    Moving Forward 69

    Summary 70

    Chapter 4 Rise of Software Bill of Materials 71

    SBOM in Regulations: Failures and Successes 71

    NTIA: Evangelizing the Need for SBOM 72

    Industry Efforts: National Labs 77

    SBOM Formats 78

    Software Identification (SWID) Tags 79

    CycloneDX 80

    Software Package Data Exchange (SPDX) 81

    Vulnerability Exploitability eXchange (VEX) and Vulnerability Disclosures 82

    VEX Enters the Conversation 83

    VEX: Adding Context and Clarity 84

    VEX vs. VDR 85

    Moving Forward 88

    Using SBOM with Other Attestations 89

    Source Authenticity 89

    Build Attestations 90

    Dependency Management and Verification 90

    Sigstore 92

    Adoption 93

    Sigstore Components 93

    Commit Signing 95

    SBOM Critiques and Concerns 95

    Visibility for the Attacker 96

    Intellectual Property 97

    Tooling and Operationalization 97

    Summary 98

    Chapter 5 Challenges in Software Transparency 99

    Firmware and Embedded Software 99

    Linux Firmware 99

    Real- Time Operating System Firmware 100

    Embedded Systems 100

    Device- Specific SBOM 100

    Open Source Software and Proprietary Code 101

    User Software 105

    Legacy Software 106

    Secure Transport 107

    Summary 108

    Chapter 6 Cloud and Containerization 111

    Shared Responsibility Model 112

    Breakdown of the Shared Responsibility Model 112

    Duties of the Shared Responsibility Model 112

    The 4 Cs of Cloud Native Security 116

    Containers 118

    Kubernetes 123

    Serverless Model 128

    SaaSBOM and the Complexity of APIs 129

    CycloneDX SaaSBOM 130

    Tooling and Emerging Discussions 132

    Usage in DevOps and DevSecOps 132

    Summary 135

    Chapter 7 Existing and Emerging Commercial Guidance 137

    Supply Chain Levels for Software Artifacts 137

    Google Graph for Understanding Artifact Composition 141

    CIS Software Supply Chain Security Guide 144

    Source Code 145

    Build Pipelines 146

    Dependencies 148

    Artifacts 148

    Deployment 149

    CNCF's Software Supply Chain Best Practices 150

    Securing the Source Code 152

    Securing Materials 154

    Securing Build Pipelines 155

    Securing Artifacts 157

    Securing Deployments 157

    CNCF's Secure Software Factory Reference Architecture 157

    The Secure Software Factory Reference Architecture 158

    Core Components 159

    Management Components 160

    Distribution Components 160

    Variables and Functionality 160

    Wrapping It Up 161

    Microsoft's Secure Supply Chain Consumption Framework 161

    S2C2F Practices 163

    S2C2F Implementation Guide 166

    OWASP Software Component Verification Standard 167

    SCVS Levels 168

    Level 1 168

    Level 2 169

    Level 3 169

    Inventory 169

    Software Bill of Materials 170

    Build Environment 171

    Package Management 171

    Component Analysis 173

    Pedigree and Provenance 173

    Open Source Policy 174

    OpenSSF Scorecard 175

    Security Scorecards for Open Source Projects 175

    How Can Organizations Make Use of the Scorecards Project? 177

    The Path Ahead 178

    Summary 178

    Chapter 8 Existing and Emerging Government Guidance 179

    Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations 179

    Critical Software 181

    Security Measures for Critical Software 182

    Software Verification 186

    Threat Modeling 187

    Automated Testing 187

    Code- Based or Static Analysis and Dynamic Testing 188

    Review for Hard-Coded Secrets 188

    Run with Language- Provided Checks and Protection 189

    Black- Box Test Cases 189

    Code- Based Test Cases 189

    Historical Test Cases 189

    Fuzzing 190

    Web Application Scanning 190

    Check Included Software Components 190

    NIST's Secure Software Development Framework 191

    SSDF Details 192

    Prepare the Organization (PO) 193

    Protect the Software (PS) 194

    Produce Well- Secured Software (PW) 194

    Respond to Vulnerabilities (RV) 196

    NSAs: Securing the Software Supply Chain Guidance Series 197

    Security Guidance for Software Developers 197

    Secure Product Criteria and Management 199

    Develop Secure Code 202

    Verify Third- Party Components 204

    Harden the Build Environment 206

    Deliver the Code 207

    NSA Appendices 207

    Recommended Practices Guide for Suppliers 209

    Prepare the Organization 209

    Protect the Software 210

    Produce Well- Secured Software 211

    Respond to Vulnerabilities 213

    Recommended Practices Guide for Customers 214

    Summary 218

    Chapter 9 Software Transparency in Operational Technology 219

    The Kinetic Effect of Software 220

    Legacy Software Risks 222

    Ladder Logic and Setpoints in Control Systems 223

    ICS Attack Surface 225

    Smart Grid 227

    Summary 228

    Chapter 10 Practical Guidance for Suppliers 229

    Vulnerability Disclosure and Response PSIRT 229

    Product Security Incident Response Team (PSIRT) 231

    To Share or Not to Share and How Much Is Too Much? 236

    Copyleft, Licensing Concerns, and "As- Is" Code 238

    Open Source Program Offices 240

    Consistency Across Product Teams 242

    Manual Effort vs. Automation and Accuracy 243

    Summary 244

    Chapter 11 Practical Guidance for Consumers 245

    Thinking Broad and Deep 245

    Do I Really Need an SBOM? 246

    What Do I Do with It? 250

    Receiving and Managing SBOMs at Scale 251

    Reducing the Noise 253

    The Divergent Workflow- I Can't Just Apply a Patch? 254

    Preparation 256

    Identification 256

    Analysis 257

    Virtual Patch Creation 257

    Implementation and Testing 258

    Recovery and Follow- up 258

    Long- Term Thinking 259

    Summary 259

    Chapter 12 Software Transparency Predictions 261

    Emerging Efforts, Regulations, and Requirements 261

    The Power of the U.S. Government Supply Chains to Affect Markets 267

    Acceleration of Supply Chain Attacks 270

    The Increasing Connectedness of Our Digital World 272

    What Comes Next? 275

    Index 283