Software transparency, supply chain security in an era of a software-driven society, Chris Hughes and Tony Turner ; foreword by Allan Friedman ; technical editor, Steve Springett
Type
Label
Software transparency, supply chain security in an era of a software-driven society, Chris Hughes and Tony Turner ; foreword by Allan Friedman ; technical editor, Steve Springett
Language
eng
Index
no index present
Literary Form
non fiction
Main title
Software transparency
Nature of contents
dictionaries
Oclc number
11379289529
Responsibility statement
Chris Hughes and Tony Turner ; foreword by Allan Friedman ; technical editor, Steve Springett
Sub title
supply chain security in an era of a software-driven society
Summary
Discover the new cybersecurity landscape of the interconnected software supply chain In Software Transparency: Supply Chain Security in an Era of a Software-Driven Society, a team of veteran information security professionals delivers an expert treatment of software supply chain security. In the book, you'll explore real-world examples and guidance on how to defend your own organization against internal and external attacks. It includes coverage of topics including the history of the software transparency movement, software bills of materials, and high assurance attestations. The authors examine the background of attack vectors that are becoming increasingly vulnerable, like mobile and social networks, retail and banking systems, and infrastructure and defense systems. You'll also discover: Use cases and practical guidance for both software consumers and suppliers Discussions of firmware and embedded software, as well as cloud and connected APIs Strategies for understanding federal and defense software supply chain initiatives related to security An essential resource for cybersecurity and application security professionals, Software Transparency will also be of extraordinary benefit to industrial control system, cloud, and mobile security professionals
Table Of Contents
Cover -- Title Page -- Copyright Page -- Contents at a Glance -- Contents -- Foreword -- Introduction -- What Does This Book Cover? -- Who Will Benefit Most from This Book? -- Special Features -- Chapter 1 Background on Software Supply Chain Threats -- Incentives for the Attacker -- Threat Models -- Threat Modeling Methodologies -- Stride -- Stride-LM -- Open Worldwide Application Security Project (OWASP) Risk-Rating Methodology -- DREAD -- Using Attack Trees -- Threat Modeling Process -- Landmark Case 1: SolarWinds -- Landmark Case 2: Log4j -- Landmark Case 3: KaseyaWhat Can We Learn from These Cases? -- Summary -- Chapter 2 Existing Approaches-Traditional Vendor Risk Management -- Assessments -- SDL Assessments -- Application Security Maturity Models -- Governance -- Design -- Implementation -- Verification -- Operations -- Application Security Assurance -- Static Application Security Testing -- Dynamic Application Security Testing -- Interactive Application Security Testing -- Mobile Application Security Testing -- Software Composition Analysis -- Hashing and Code Signing -- Summary -- Chapter 3 Vulnerability Databases and Scoring MethodologiesCommon Vulnerabilities and Exposures -- National Vulnerability Database -- Software Identity Formats -- CPE -- Software Identification Tagging -- PURL -- Sonatype OSS Index -- Open Source Vulnerability Database -- Global Security Database -- Common Vulnerability Scoring System -- Base Metrics -- Temporal Metrics -- Environmental Metrics -- CVSS Rating Scale -- Critiques -- Exploit Prediction Scoring System -- EPSS Model -- EPSS Critiques -- CISA's Take -- Common Security Advisory Framework -- Vulnerability Exploitability eXchangeStakeholder-Specific Vulnerability Categorization and Known Exploited Vulnerabilities -- Moving Forward -- Summary -- Chapter 4 Rise of Software Bill of Materials -- SBOM in Regulations: Failures and Successes -- NTIA: Evangelizing the Need for SBOM -- Industry Efforts: National Labs -- SBOM Formats -- Software Identification (SWID) Tags -- CycloneDX -- Software Package Data Exchange (SPDX) -- Vulnerability Exploitability eXchange (VEX) and Vulnerability Disclosures -- VEX Enters the Conversation -- VEX: Adding Context and Clarity -- VEX vs. VDR -- Moving ForwardUsing SBOM with Other Attestations -- Source Authenticity -- Build Attestations -- Dependency Management and Verification -- Sigstore -- Adoption -- Sigstore Components -- Commit Signing -- SBOM Critiques and Concerns -- Visibility for the Attacker -- Intellectual Property -- Tooling and Operationalization -- Summary -- Chapter 5 Challenges in Software Transparency -- Firmware and Embedded Software -- Linux Firmware -- Real-Time Operating System Firmware -- Embedded Systems -- Device-Specific SBOM -- Open Source Software and Proprietary Code -- User Software -- Legacy Software -- Secure Transport
Target audience
specialized
Contributor
Creator
Subject
Content
Editor
writerofforeword
Mapped to
Incoming Resources
- Has instance2
Outgoing Resources
- Contributor3
- Creator1
- Subject1
- Content1
- Author2
- Editor1
- writerofforeword1
- Mapped to2