"Starting this book off with a proper threat model is precisely what's needed as a frame for such an important problem. Supply chain risk is complicated, it's changing quickly, and the defensive measures often involve multiple teams which drives up the complexity. The insights captured throughout this book are absolutely necessary for the state of software security today and having the proper context and frame of the problem space as you read it will help get the most of it."--Robert Wood, CISO of Centers for Medicare and Medicaid (CMS)"This is a very good book. It achieves something that I don't think anyone else has even attempted: provide an encyclopedic account of guidelines, best practices, regulations, and current efforts to secure the software supply chain. The best aspect of this book is that someone (like me) who is primarily involved with just one aspect of software supply chain security can benefit from a well-informed treatment of the subject from different aspects, yet still have a reference tool to return to later, when the need arises to learn about other topics within this already vast discipline."--Tom Alrich

Foreword xxiIntroduction xxvChapter 1 Background on Software Supply Chain Threats 1Incentives for the Attacker 1Threat Models 2Threat Modeling Methodologies 3Stride 3Stride- LM 4Open Worldwide Application Security Project (OWASP) Risk- Rating Methodology 4Dread 5Using Attack Trees 5Threat Modeling Process 6Landmark Case 1: SolarWinds 14Landmark Case 2: Log4j 18Landmark Case 3: Kaseya 21What Can We Learn from These Cases? 23Summary 24Chapter 2 Existing Approaches-- Traditional Vendor Risk Management 25Assessments 25SDL Assessments 28Application Security Maturity Models 29Governance 30Design 30Implementation 31Verification 31Operations 32Application Security Assurance 32Static Application Security Testing 33Dynamic Application Security Testing 34Interactive Application Security Testing 35Mobile Application Security Testing 36Software Composition Analysis 36Hashing and Code Signing 37Summary 39Chapter 3 Vulnerability Databases and Scoring Methodologies 41Common Vulnerabilities and Exposures 41National Vulnerability Database 44Software Identity Formats 46Cpe 46Software Identification Tagging 47Purl 49Sonatype OSS Index 50Open Source Vulnerability Database 51Global Security Database 52Common Vulnerability Scoring System 54Base Metrics 55Temporal Metrics 57Environmental Metrics 58CVSS Rating Scale 58Critiques 59Exploit Prediction Scoring System 59EPSS Model 60EPSS Critiques 62CISA's Take 63Common Security Advisory Framework 63Vulnerability Exploitability eXchange 64Stakeholder- Specific Vulnerability Categorization and Known Exploited Vulnerabilities 65Moving Forward 69Summary 70Chapter 4 Rise of Software Bill of Materials 71SBOM in Regulations: Failures and Successes 71NTIA: Evangelizing the Need for SBOM 72Industry Efforts: National Labs 77SBOM Formats 78Software Identification (SWID) Tags 79CycloneDX 80Software Package Data Exchange (SPDX) 81Vulnerability Exploitability eXchange (VEX) and Vulnerability Disclosures 82VEX Enters the Conversation 83VEX: Adding Context and Clarity 84VEX vs. VDR 85Moving Forward 88Using SBOM with Other Attestations 89Source Authenticity 89Build Attestations 90Dependency Management and Verification 90Sigstore 92Adoption 93Sigstore Components 93Commit Signing 95SBOM Critiques and Concerns 95Visibility for the Attacker 96Intellectual Property 97Tooling and Operationalization 97Summary 98Chapter 5 Challenges in Software Transparency 99Firmware and Embedded Software 99Linux Firmware 99Real- Time Operating System Firmware 100Embedded Systems 100Device- Specific SBOM 100Open Source Software and Proprietary Code 101User Software 105Legacy Software 106Secure Transport 107Summary 108Chapter 6 Cloud and Containerization 111Shared Responsibility Model 112Breakdown of the Shared Responsibility Model 112Duties of the Shared Responsibility Model 112The 4 Cs of Cloud Native Security 116Containers 118Kubernetes 123Serverless Model 128SaaSBOM and the Complexity of APIs 129CycloneDX SaaSBOM 130Tooling and Emerging Discussions 132Usage in DevOps and DevSecOps 132Summary 135Chapter 7 Existing and Emerging Commercial Guidance 137Supply Chain Levels for Software Artifacts 137Google Graph for Understanding Artifact Composition 141CIS Software Supply Chain Security Guide 144Source Code 145Build Pipelines 146Dependencies 148Artifacts 148Deployment 149CNCF's Software Supply Chain Best Practices 150Securing the Source Code 152Securing Materials 154Securing Build Pipelines 155Securing Artifacts 157Securing Deployments 157CNCF's Secure Software Factory Reference Architecture 157The Secure Software Factory Reference Architecture 158Core Components 159Management Components 160Distribution Components 160Variables and Functionality 160Wrapping It Up 161Microsoft's Secure Supply Chain Consumption Framework 161S2C2F Practices 163S2C2F Implementation Guide 166OWASP Software Component Verification Standard 167SCVS Levels 168Level 1 168Level 2 169Level 3 169Inventory 169Software Bill of Materials 170Build Environment 171Package Management 171Component Analysis 173Pedigree and Provenance 173Open Source Policy 174OpenSSF Scorecard 175Security Scorecards for Open Source Projects 175How Can Organizations Make Use of the Scorecards Project? 177The Path Ahead 178Summary 178Chapter 8 Existing and Emerging Government Guidance 179Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations 179Critical Software 181Security Measures for Critical Software 182Software Verification 186Threat Modeling 187Automated Testing 187Code- Based or Static Analysis and Dynamic Testing 188Review for Hard-Coded Secrets 188Run with Language- Provided Checks and Protection 189Black- Box Test Cases 189Code- Based Test Cases 189Historical Test Cases 189Fuzzing 190Web Application Scanning 190Check Included Software Components 190NIST's Secure Software Development Framework 191SSDF Details 192Prepare the Organization (PO) 193Protect the Software (PS) 194Produce Well- Secured Software (PW) 194Respond to Vulnerabilities (RV) 196NSAs: Securing the Software Supply Chain Guidance Series 197Security Guidance for Software Developers 197Secure Product Criteria and Management 199Develop Secure Code 202Verify Third- Party Components 204Harden the Build Environment 206Deliver the Code 207NSA Appendices 207Recommended Practices Guide for Suppliers 209Prepare the Organization 209Protect the Software 210Produce Well- Secured Software 211Respond to Vulnerabilities 213Recommended Practices Guide for Customers 214Summary 218Chapter 9 Software Transparency in Operational Technology 219The Kinetic Effect of Software 220Legacy Software Risks 222Ladder Logic and Setpoints in Control Systems 223ICS Attack Surface 225Smart Grid 227Summary 228Chapter 10 Practical Guidance for Suppliers 229Vulnerability Disclosure and Response PSIRT 229Product Security Incident Response Team (PSIRT) 231To Share or Not to Share and How Much Is Too Much? 236Copyleft, Licensing Concerns, and "As- Is" Code 238Open Source Program Offices 240Consistency Across Product Teams 242Manual Effort vs. Automation and Accuracy 243Summary 244Chapter 11 Practical Guidance for Consumers 245Thinking Broad and Deep 245Do I Really Need an SBOM? 246What Do I Do with It? 250Receiving and Managing SBOMs at Scale 251Reducing the Noise 253The Divergent Workflow-- I Can't Just Apply a Patch? 254Preparation 256Identification 256Analysis 257Virtual Patch Creation 257Implementation and Testing 258Recovery and Follow- up 258Long- Term Thinking 259Summary 259Chapter 12 Software Transparency Predictions 261Emerging Efforts, Regulations, and Requirements 261The Power of the U.S. Government Supply Chains to Affect Markets 267Acceleration of Supply Chain Attacks 270The Increasing Connectedness of Our Digital World 272What Comes Next? 275Index 283

CHRIS HUGHES is the co-founder and Chief Information Security Officer of Aquia. He is an Adjunct Professor for M.S. Cybersecurity programs at Capitol Technology University and the University of Maryland Global Campus, and a co-host of the Resilient Cyber Podcast.TONY TURNER has 25 years' experience as a cybersecurity engineer, architect, consultant, executive, and community builder. He is the Founder of Opswright, a software company creating solutions for security engineering in critical infrastructure and leads the OWASP Orlando chapter.