Software transparency : supply chain security in an era of a software-driven society /

Discover the new cybersecurity landscape of the interconnected software supply chain In Software Transparency: Supply Chain Security in an Era of a Software-Driven Society, a team of veteran information security professionals delivers an expert treatment of software supply chain security. In the boo...

Descripción completa

Detalles Bibliográficos
Clasificación:Libro Electrónico
Autores principales: Hughes, Chris (Autor), Turner, Tony (Autor)
Otros Autores: Springett, Steve (Editor ), Friedman, Allan (writer of foreword.)
Formato: Electrónico eBook
Idioma:Inglés
Publicado: Hoboken : John Wiley & Sons, Inc., 2023.
Temas:
Computer security.
Computer software.
Sécurité informatique.
Logiciels.
software.
Computer security
Computer software
Acceso en línea:Texto completo (Requiere registro previo con correo institucional)
Tabla de Contenidos:
  • Cover
  • Title Page
  • Copyright Page
  • Contents at a Glance
  • Contents
  • Foreword
  • Introduction
  • What Does This Book Cover?
  • Who Will Benefit Most from This Book?
  • Special Features
  • Chapter 1 Background on Software Supply Chain Threats
  • Incentives for the Attacker
  • Threat Models
  • Threat Modeling Methodologies
  • Stride
  • Stride-LM
  • Open Worldwide Application Security Project (OWASP) Risk-Rating Methodology
  • DREAD
  • Using Attack Trees
  • Threat Modeling Process
  • Landmark Case 1: SolarWinds
  • Landmark Case 2: Log4j
  • Landmark Case 3: Kaseya
  • What Can We Learn from These Cases?
  • Summary
  • Chapter 2 Existing Approaches-Traditional Vendor Risk Management
  • Assessments
  • SDL Assessments
  • Application Security Maturity Models
  • Governance
  • Design
  • Implementation
  • Verification
  • Operations
  • Application Security Assurance
  • Static Application Security Testing
  • Dynamic Application Security Testing
  • Interactive Application Security Testing
  • Mobile Application Security Testing
  • Software Composition Analysis
  • Hashing and Code Signing
  • Summary
  • Chapter 3 Vulnerability Databases and Scoring Methodologies
  • Common Vulnerabilities and Exposures
  • National Vulnerability Database
  • Software Identity Formats
  • CPE
  • Software Identification Tagging
  • PURL
  • Sonatype OSS Index
  • Open Source Vulnerability Database
  • Global Security Database
  • Common Vulnerability Scoring System
  • Base Metrics
  • Temporal Metrics
  • Environmental Metrics
  • CVSS Rating Scale
  • Critiques
  • Exploit Prediction Scoring System
  • EPSS Model
  • EPSS Critiques
  • CISA's Take
  • Common Security Advisory Framework
  • Vulnerability Exploitability eXchange
  • Stakeholder-Specific Vulnerability Categorization and Known Exploited Vulnerabilities
  • Moving Forward
  • Summary
  • Chapter 4 Rise of Software Bill of Materials
  • SBOM in Regulations: Failures and Successes
  • NTIA: Evangelizing the Need for SBOM
  • Industry Efforts: National Labs
  • SBOM Formats
  • Software Identification (SWID) Tags
  • CycloneDX
  • Software Package Data Exchange (SPDX)
  • Vulnerability Exploitability eXchange (VEX) and Vulnerability Disclosures
  • VEX Enters the Conversation
  • VEX: Adding Context and Clarity
  • VEX vs. VDR
  • Moving Forward
  • Using SBOM with Other Attestations
  • Source Authenticity
  • Build Attestations
  • Dependency Management and Verification
  • Sigstore
  • Adoption
  • Sigstore Components
  • Commit Signing
  • SBOM Critiques and Concerns
  • Visibility for the Attacker
  • Intellectual Property
  • Tooling and Operationalization
  • Summary
  • Chapter 5 Challenges in Software Transparency
  • Firmware and Embedded Software
  • Linux Firmware
  • Real-Time Operating System Firmware
  • Embedded Systems
  • Device-Specific SBOM
  • Open Source Software and Proprietary Code
  • User Software
  • Legacy Software
  • Secure Transport

Ejemplares similares