Software transparency : supply chain security in an era of a software-driven society /
Discover the new cybersecurity landscape of the interconnected software supply chain In Software Transparency: Supply Chain Security in an Era of a Software-Driven Society, a team of veteran information security professionals delivers an expert treatment of software supply chain security. In the boo...
Clasificación: | Libro Electrónico |
---|---|
Autores principales: | , |
Otros Autores: | , |
Formato: | Electrónico eBook |
Idioma: | Inglés |
Publicado: |
Hoboken :
John Wiley & Sons, Inc.,
2023.
|
Temas: | |
Acceso en línea: | Texto completo (Requiere registro previo con correo institucional) |
Tabla de Contenidos:
- Cover
- Title Page
- Copyright Page
- Contents at a Glance
- Contents
- Foreword
- Introduction
- What Does This Book Cover?
- Who Will Benefit Most from This Book?
- Special Features
- Chapter 1 Background on Software Supply Chain Threats
- Incentives for the Attacker
- Threat Models
- Threat Modeling Methodologies
- Stride
- Stride-LM
- Open Worldwide Application Security Project (OWASP) Risk-Rating Methodology
- DREAD
- Using Attack Trees
- Threat Modeling Process
- Landmark Case 1: SolarWinds
- Landmark Case 2: Log4j
- Landmark Case 3: Kaseya
- What Can We Learn from These Cases?
- Summary
- Chapter 2 Existing Approaches-Traditional Vendor Risk Management
- Assessments
- SDL Assessments
- Application Security Maturity Models
- Governance
- Design
- Implementation
- Verification
- Operations
- Application Security Assurance
- Static Application Security Testing
- Dynamic Application Security Testing
- Interactive Application Security Testing
- Mobile Application Security Testing
- Software Composition Analysis
- Hashing and Code Signing
- Summary
- Chapter 3 Vulnerability Databases and Scoring Methodologies
- Common Vulnerabilities and Exposures
- National Vulnerability Database
- Software Identity Formats
- CPE
- Software Identification Tagging
- PURL
- Sonatype OSS Index
- Open Source Vulnerability Database
- Global Security Database
- Common Vulnerability Scoring System
- Base Metrics
- Temporal Metrics
- Environmental Metrics
- CVSS Rating Scale
- Critiques
- Exploit Prediction Scoring System
- EPSS Model
- EPSS Critiques
- CISA's Take
- Common Security Advisory Framework
- Vulnerability Exploitability eXchange
- Stakeholder-Specific Vulnerability Categorization and Known Exploited Vulnerabilities
- Moving Forward
- Summary
- Chapter 4 Rise of Software Bill of Materials
- SBOM in Regulations: Failures and Successes
- NTIA: Evangelizing the Need for SBOM
- Industry Efforts: National Labs
- SBOM Formats
- Software Identification (SWID) Tags
- CycloneDX
- Software Package Data Exchange (SPDX)
- Vulnerability Exploitability eXchange (VEX) and Vulnerability Disclosures
- VEX Enters the Conversation
- VEX: Adding Context and Clarity
- VEX vs. VDR
- Moving Forward
- Using SBOM with Other Attestations
- Source Authenticity
- Build Attestations
- Dependency Management and Verification
- Sigstore
- Adoption
- Sigstore Components
- Commit Signing
- SBOM Critiques and Concerns
- Visibility for the Attacker
- Intellectual Property
- Tooling and Operationalization
- Summary
- Chapter 5 Challenges in Software Transparency
- Firmware and Embedded Software
- Linux Firmware
- Real-Time Operating System Firmware
- Embedded Systems
- Device-Specific SBOM
- Open Source Software and Proprietary Code
- User Software
- Legacy Software
- Secure Transport