Software Supply Chain Security: Securing the End-to-end Supply Chain for Software, Firmware, and Hardware

Cover
Copyright
Table of Contents
Foreword
Preface
	Who Should Read This Book
	Why I Wrote This Book
	Navigating This Book
	Conventions Used in This Book
	O’Reilly Online Learning
	How to Contact Us
	Acknowledgments
Chapter 1. Supply Chain Security
	Supply Chain Definitions
	Software Supply Chain Security Impacts
	Requirements, Laws, Regulations, and Directives
	Summary
Chapter 2. Supply Chain Frameworks and Standards
	Technology Risk Management Frameworks
		NIST SP 800-37 Risk Management Framework (RMF)
		ISO 31000:2018 Risk Management
		Control Objectives for Information and Related Technologies (COBIT®) 2019
		NIST Cybersecurity Framework (CSF)
	Supply Chain Frameworks and Standards
		NIST SP 800-161 Cybersecurity Supply Chain Risk Management for Systems and Organizations
		UK Supplier Assurance Framework
		MITRE System of Trust™ (SoT) Framework
		ISO/IEC 20243-1:2023 Open Trusted Technology Provider Standard
		SCS 9001 Supply Chain Security Standard
		ISO 28000:2022 Security and Resilience
		ISO/IEC 27036 Information Security for Supplier Relationships
	Framework and Standards Considerations Summary
	Summary
Chapter 3. Infrastructure Security in the Product Lifecycle
	Developer Environments
	Code Repositories and Build Platforms
	Development Tools
	Labs and Test Environments
	Preproduction and Production Environments
	Software Distribution and Deployment Locations
	Manufacturing and Supply Chain Environments
	Customer Staging for Acceptance Tests
	Service Systems and Tools
	Summary
Chapter 4. Secure Development Lifecycle
	Key Elements of an SDL
		Security Requirements
		Secure Design
		Secure Development
		Security Testing
		Vulnerability Management
	Augmenting an SDLC with SDL
		ISA/IEC 62443-4-1 Secure Development Lifecycle
		NIST SSDF
		Microsoft SDL
		ISO/IEC 27034 Application Security
		SAFECode
		SDL Considerations for IoT, OT, and Embedded Systems
	Product and Application Security Metrics
	Summary
Chapter 5. Source Code, Build, and Deployment Management
	Source Code Types
		Open Source
		Commercial
		Proprietary
		Operating Systems and Frameworks
		Low-Code/No-Code
		Generative AI Source Code
	Code Quality
		Secure Coding Standards
		Software Analysis Technologies
		Code Reviews
	Source Code Integrity
		Change Management
		Trusted Source Code
		Trusted Dependencies
	Build Management
		Authentication and Authorization
		Build Scripts and Automation
		Repeatability and Reproducibility
		Code Signing
	Deployment Management
	Summary
Chapter 6. Cloud and DevSecOps
	Cloud Frameworks, Controls, and Assessments
		ISO/IEC 27001 Information Security Management Systems
		Cloud Security Alliance CCM and CAIQ
		Cloud Security Alliance STAR Program
		American Institute of CPAs SOC 2
		US FedRAMP
		Cloud Security Considerations and Requirements
	DevSecOps
		Change Management for Cloud
		Secure Design and Development for Cloud Applications
		API Security
		Testing
		Deploying Immutable Infrastructure and Applications
		Securing Connections
		Operating and Monitoring
		Site Reliability Engineering
	Summary
Chapter 7. Intellectual Property and Data
	Data Classification
	People
	Technology
		Data Security
		Loss of Code, Keys, and Secrets
		Design Flaws
		Configuration Errors
		Application Programming Interfaces (APIs)
		Vulnerabilities
	Summary
Chapter 8. Software Transparency
	Software Transparency Use Cases
	Software Bill of Materials (SBOM)
		SBOM Formats
		SBOM Elements
		SBOM Limitations
		Additional Bill of Materials (BOMs)
	Vulnerability Disclosures
	Additional Transparency Approaches
		US CISA Secure Software Development Attestation Common Form
		Supply Chain Integrity, Transparency, and Trust (SCITT)
		Digital Bill of Materials and Sharing Mechanisms
		Graph of Understanding Artifact Composition (GUAC)
		In-Toto Attestation
		Software Provenance
		Practices and Technology
	Summary
Chapter 9. Suppliers
	Cyber Assessments
		Assessment Responses
		Research
		IT Security Including Environmental Security
		Product/Application Security Organization
		Product Security Processes and Secure Development Lifecycle
		Training
		Secure Development and Security Testing
		Build Management, DevSecOps, and Release Management
		Scanning, Vulnerability Management, Patching, and SLAs
		Cloud Applications and Environments
		Development Services
		Manufacturing
	Cyber Agreements, Contracts, and Addendums
	Ongoing Supplier Management
		Monitoring
		Supplier Reviews
		Right to Audit and Assess
	Summary
Chapter 10. Manufacturing and Device Security
	Suppliers and Manufacturing Security
		Equipment, Systems, and Network Security Configurations
		Physical Security
	Code, Software, and Firmware Integrity
		Tests for Integrity
		Counterfeits
	Chain of Custody
	Device Protection Measures
		Firmware Public Key Infrastructure (PKI)
		Hardware Root of Trust
		Secure Boot
		Secure Element
		Device Authentication
	Summary
Chapter 11. People in the Software Supply Chain
	Cybersecurity Organizational Structures
	Security Champions
	Cybersecurity Awareness and Training
	Development Team
		Secure Development Lifecycle (SDL)
		Source Code Management
		DevSecOps and Cloud
		Capture-the-Flag Events
	Third-Party Suppliers
	Manufacturing and Distribution
	Customer Projects and Field Services
	End Users
	Summary
Appendix A. Security Controls
	Infrastructure Security Controls
	Secure Development Lifecycle Controls
	Source Code, Build, and Deployment Controls
	Cloud Controls
	Intellectual Property and Data Controls
	Software Transparency Controls
	Supplier Controls
	Manufacturing and Device Security Controls
	People Controls
Index
About the Author
Colophon