Buy Software Transparency Book by Tony Turner - Bookswagon
Logo1
close menu
Bookswagon
search
My Account
Home icon Home
Account Icon Account
Wishlist Icon Wishlist
Cart Icon Cart
humburger icon Categories
Book 1
Book 2
Book 3
Book 1
Book 2
Book 3
Book 1
Book 2
Book 3
Book 1
Book 2
Book 3
Home > Computing and Information Technology > Computer security > Data encryption > Software Transparency: Supply Chain Security in an Era of a Software-Driven Society
Software Transparency: Supply Chain Security in an Era of a Software-Driven Society
Software Transparency: Supply Chain Security in an Era of a Software-Driven Society

Software Transparency: Supply Chain Security in an Era of a Software-Driven Society


     5  |  4 Reviews 
5
4
3
2
1
Read 4 Reviews


Available


X

Software Transparency: Supply Chain Security in an Era of a Software-Driven Society
Supply Chain Security in an Era of a Software-Driven Society
Format: Paperback

About the Book

Discover the new cybersecurity landscape of the interconnected software supply chain

In Software Transparency: Supply Chain Security in an Era of a Software-Driven Society, a team of veteran information security professionals delivers an expert treatment of software supply chain security. In the book, you’ll explore real-world examples and guidance on how to defend your own organization against internal and external attacks. It includes coverage of topics including the history of the software transparency movement, software bills of materials, and high assurance attestations.

The authors examine the background of attack vectors that are becoming increasingly vulnerable, like mobile and social networks, retail and banking systems, and infrastructure and defense systems. You’ll also discover:

  • Use cases and practical guidance for both software consumers and suppliers
  • Discussions of firmware and embedded software, as well as cloud and connected APIs
  • Strategies for understanding federal and defense software supply chain initiatives related to security

An essential resource for cybersecurity and application security professionals, Software Transparency will also be of extraordinary benefit to industrial control system, cloud, and mobile security professionals.



Table of Contents:

Foreword xxi

Introduction xxv

Chapter 1 Background on Software Supply Chain Threats 1

Incentives for the Attacker 1

Threat Models 2

Threat Modeling Methodologies 3

Stride 3

Stride- LM 4

Open Worldwide Application Security Project (OWASP) Risk- Rating Methodology 4

Dread 5

Using Attack Trees 5

Threat Modeling Process 6

Landmark Case 1: SolarWinds 14

Landmark Case 2: Log4j 18

Landmark Case 3: Kaseya 21

What Can We Learn from These Cases? 23

Summary 24

Chapter 2 Existing Approaches— Traditional Vendor Risk Management 25

Assessments 25

SDL Assessments 28

Application Security Maturity Models 29

Governance 30

Design 30

Implementation 31

Verification 31

Operations 32

Application Security Assurance 32

Static Application Security Testing 33

Dynamic Application Security Testing 34

Interactive Application Security Testing 35

Mobile Application Security Testing 36

Software Composition Analysis 36

Hashing and Code Signing 37

Summary 39

Chapter 3 Vulnerability Databases and Scoring Methodologies 41

Common Vulnerabilities and Exposures 41

National Vulnerability Database 44

Software Identity Formats 46

Cpe 46

Software Identification Tagging 47

Purl 49

Sonatype OSS Index 50

Open Source Vulnerability Database 51

Global Security Database 52

Common Vulnerability Scoring System 54

Base Metrics 55

Temporal Metrics 57

Environmental Metrics 58

CVSS Rating Scale 58

Critiques 59

Exploit Prediction Scoring System 59

EPSS Model 60

EPSS Critiques 62

CISA’s Take 63

Common Security Advisory Framework 63

Vulnerability Exploitability eXchange 64

Stakeholder- Specific Vulnerability Categorization and Known Exploited Vulnerabilities 65

Moving Forward 69

Summary 70

Chapter 4 Rise of Software Bill of Materials 71

SBOM in Regulations: Failures and Successes 71

NTIA: Evangelizing the Need for SBOM 72

Industry Efforts: National Labs 77

SBOM Formats 78

Software Identification (SWID) Tags 79

CycloneDX 80

Software Package Data Exchange (SPDX) 81

Vulnerability Exploitability eXchange (VEX) and Vulnerability Disclosures 82

VEX Enters the Conversation 83

VEX: Adding Context and Clarity 84

VEX vs. VDR 85

Moving Forward 88

Using SBOM with Other Attestations 89

Source Authenticity 89

Build Attestations 90

Dependency Management and Verification 90

Sigstore 92

Adoption 93

Sigstore Components 93

Commit Signing 95

SBOM Critiques and Concerns 95

Visibility for the Attacker 96

Intellectual Property 97

Tooling and Operationalization 97

Summary 98

Chapter 5 Challenges in Software Transparency 99

Firmware and Embedded Software 99

Linux Firmware 99

Real- Time Operating System Firmware 100

Embedded Systems 100

Device- Specific SBOM 100

Open Source Software and Proprietary Code 101

User Software 105

Legacy Software 106

Secure Transport 107

Summary 108

Chapter 6 Cloud and Containerization 111

Shared Responsibility Model 112

Breakdown of the Shared Responsibility Model 112

Duties of the Shared Responsibility Model 112

The 4 Cs of Cloud Native Security 116

Containers 118

Kubernetes 123

Serverless Model 128

SaaSBOM and the Complexity of APIs 129

CycloneDX SaaSBOM 130

Tooling and Emerging Discussions 132

Usage in DevOps and DevSecOps 132

Summary 135

Chapter 7 Existing and Emerging Commercial Guidance 137

Supply Chain Levels for Software Artifacts 137

Google Graph for Understanding Artifact Composition 141

CIS Software Supply Chain Security Guide 144

Source Code 145

Build Pipelines 146

Dependencies 148

Artifacts 148

Deployment 149

CNCF’s Software Supply Chain Best Practices 150

Securing the Source Code 152

Securing Materials 154

Securing Build Pipelines 155

Securing Artifacts 157

Securing Deployments 157

CNCF’s Secure Software Factory Reference Architecture 157

The Secure Software Factory Reference Architecture 158

Core Components 159

Management Components 160

Distribution Components 160

Variables and Functionality 160

Wrapping It Up 161

Microsoft’s Secure Supply Chain Consumption Framework 161

S2C2F Practices 163

S2C2F Implementation Guide 166

OWASP Software Component Verification Standard 167

SCVS Levels 168

Level 1 168

Level 2 169

Level 3 169

Inventory 169

Software Bill of Materials 170

Build Environment 171

Package Management 171

Component Analysis 173

Pedigree and Provenance 173

Open Source Policy 174

OpenSSF Scorecard 175

Security Scorecards for Open Source Projects 175

How Can Organizations Make Use of the Scorecards Project? 177

The Path Ahead 178

Summary 178

Chapter 8 Existing and Emerging Government Guidance 179

Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations 179

Critical Software 181

Security Measures for Critical Software 182

Software Verification 186

Threat Modeling 187

Automated Testing 187

Code- Based or Static Analysis and Dynamic Testing 188

Review for Hard-Coded Secrets 188

Run with Language- Provided Checks and Protection 189

Black- Box Test Cases 189

Code- Based Test Cases 189

Historical Test Cases 189

Fuzzing 190

Web Application Scanning 190

Check Included Software Components 190

NIST’s Secure Software Development Framework 191

SSDF Details 192

Prepare the Organization (PO) 193

Protect the Software (PS) 194

Produce Well- Secured Software (PW) 194

Respond to Vulnerabilities (RV) 196

NSAs: Securing the Software Supply Chain Guidance Series 197

Security Guidance for Software Developers 197

Secure Product Criteria and Management 199

Develop Secure Code 202

Verify Third- Party Components 204

Harden the Build Environment 206

Deliver the Code 207

NSA Appendices 207

Recommended Practices Guide for Suppliers 209

Prepare the Organization 209

Protect the Software 210

Produce Well- Secured Software 211

Respond to Vulnerabilities 213

Recommended Practices Guide for Customers 214

Summary 218

Chapter 9 Software Transparency in Operational Technology 219

The Kinetic Effect of Software 220

Legacy Software Risks 222

Ladder Logic and Setpoints in Control Systems 223

ICS Attack Surface 225

Smart Grid 227

Summary 228

Chapter 10 Practical Guidance for Suppliers 229

Vulnerability Disclosure and Response PSIRT 229

Product Security Incident Response Team (PSIRT) 231

To Share or Not to Share and How Much Is Too Much? 236

Copyleft, Licensing Concerns, and “As- Is” Code 238

Open Source Program Offices 240

Consistency Across Product Teams 242

Manual Effort vs. Automation and Accuracy 243

Summary 244

Chapter 11 Practical Guidance for Consumers 245

Thinking Broad and Deep 245

Do I Really Need an SBOM? 246

What Do I Do with It? 250

Receiving and Managing SBOMs at Scale 251

Reducing the Noise 253

The Divergent Workflow— I Can’t Just Apply a Patch? 254

Preparation 256

Identification 256

Analysis 257

Virtual Patch Creation 257

Implementation and Testing 258

Recovery and Follow- up 258

Long- Term Thinking 259

Summary 259

Chapter 12 Software Transparency Predictions 261

Emerging Efforts, Regulations, and Requirements 261

The Power of the U.S. Government Supply Chains to Affect Markets 267

Acceleration of Supply Chain Attacks 270

The Increasing Connectedness of Our Digital World 272

What Comes Next? 275

Index 283



About the Author :

CHRIS HUGHES is the co-founder and Chief Information Security Officer of Aquia. He is an Adjunct Professor for M.S. Cybersecurity programs at Capitol Technology University and the University of Maryland Global Campus, and a co-host of the Resilient Cyber Podcast.

TONY TURNER has 25 years’ experience as a cybersecurity engineer, architect, consultant, executive, and community builder. He is the Founder of Opswright, a software company creating solutions for security engineering in critical infrastructure and leads the OWASP Orlando chapter.

Best Sellers

See All
Too Good To Be True
Quick View

Too Good To Be True Prajakta Koli

4.3 (6)

AED33

Thank You for Leaving
Quick View

Thank You for Leaving Rithvik Singh

2 (5)

AED36

Atomic Habits (EXP)
Quick View

Atomic Habits (EXP) James Clear

No Review Yet

AED101

My First Library: Boxset of 10 Board Books for Kids
Quick View

My First Library: Boxset of 10 Board Books for Kids

4.1 (8)

AED66

Dopamine Detox
Quick View

Dopamine Detox Thibaut Meurisse

No Review Yet

AED35

Money Myths and Mantras
Quick View

Money Myths and Mantras Devina Mehra

4.7 (3)

AED48

Meditations
Quick View

Meditations Marcus Aurelius

4.3 (6)

AED43

Harry Potter Box Set: The Complete Collection (Children’s Paperback)
Quick View

Harry Potter Box Set: The Complete Collection (Children’s Paperback) J.K. Rowling

4.3 (8)

AED246

Atomic Habits
Quick View

Atomic Habits James Clear

4.6 (5)

AED62

The Art of Being Alone
Quick View

The Art of Being Alone Renuka Gavrani

5 (6)

AED47

Animals Tales From Panchtantra: Timeless Stories For Children From Ancient India
Quick View

Animals Tales From Panchtantra: Timeless Stories For Children From Ancient India

4.5 (10)

AED47

My First Book of Patterns Pencil Control: Patterns Practice book for kids (Pattern Writing)
Quick View

My First Book of Patterns Pencil Control: Patterns Practice book for kids (Pattern Writing)

4.6 (8)

AED21

Product Details
  • ISBN-13: 9781394158485
  • Publisher: John Wiley & Sons Inc
  • Publisher Imprint: John Wiley & Sons Inc
  • Height: 231 mm
  • No of Pages: 336
  • Returnable: N
  • Sub Title: Supply Chain Security in an Era of a Software-Driven Society
  • Width: 188 mm
  • ISBN-10: 1394158483
  • Publisher Date: 08 Jun 2023
  • Binding: Paperback
  • Language: English
  • Returnable: N
  • Spine Width: 25 mm
  • Weight: 690 gr

Similar Products

Add Photo
Add Photo

Customer Reviews

     5  |  4 Reviews 
out of (%) reviewers recommend this product
Top Reviews
Write A Review
Rating Snapshot
Select a row below to filter reviews.
5
4
3
2
1
Average Customer Ratings
     5  |  4 Reviews 
00 of 0 Reviews
Sort by :
Ratings
Reader Type
Contains Spoiler
Active Filters

00 of 0 Reviews
SEARCH RESULTS
1–2 of 2 Reviews
    BoxerLover2 - 5 Days ago
    A Thrilling But Totally Believable Murder Mystery

    Read this in one evening. I had planned to do other things with my day, but it was impossible to put down. Every time I tried, I was drawn back to it in less than 5 minutes. I sobbed my eyes out the entire last 100 pages. Highly recommend!

    BoxerLover2 - 5 Days ago
    A Thrilling But Totally Believable Murder Mystery

    Read this in one evening. I had planned to do other things with my day, but it was impossible to put down. Every time I tried, I was drawn back to it in less than 5 minutes. I sobbed my eyes out the entire last 100 pages. Highly recommend!


Sample text
Photo of
    Media Viewer

    Sample text
    Reviews
    Reader Type:
    BoxerLover2
    00 of 0 review

    Your review was submitted!
    Software Transparency: Supply Chain Security in an Era of a Software-Driven Society
    John Wiley & Sons Inc -
    Software Transparency: Supply Chain Security in an Era of a Software-Driven Society
    Writing guidlines
    We want to publish your review, so please:
    • keep your review on the product. Review's that defame author's character will be rejected.
    • Keep your review focused on the product.
    • Avoid writing about customer service. contact us instead if you have issue requiring immediate attention.
    • Refrain from mentioning competitors or the specific price you paid for the product.
    • Do not include any personally identifiable information, such as full names.

    Software Transparency: Supply Chain Security in an Era of a Software-Driven Society

    Required fields are marked with *

    Review Title*
    Review
      Add Photo Add up to 6 photos
      Would you recommend this product to a friend?
      Tag this Book Read more
      Does your review contain spoilers?
      What type of reader best describes you?
      I agree to the terms & conditions
      You may receive emails regarding this submission. Any emails will include the ability to opt-out of future communications.

      CUSTOMER RATINGS AND REVIEWS AND QUESTIONS AND ANSWERS TERMS OF USE

      These Terms of Use govern your conduct associated with the Customer Ratings and Reviews and/or Questions and Answers service offered by Bookswagon (the "CRR Service").


      By submitting any content to Bookswagon, you guarantee that:
      • You are the sole author and owner of the intellectual property rights in the content;
      • All "moral rights" that you may have in such content have been voluntarily waived by you;
      • All content that you post is accurate;
      • You are at least 13 years old;
      • Use of the content you supply does not violate these Terms of Use and will not cause injury to any person or entity.
      You further agree that you may not submit any content:
      • That is known by you to be false, inaccurate or misleading;
      • That infringes any third party's copyright, patent, trademark, trade secret or other proprietary rights or rights of publicity or privacy;
      • That violates any law, statute, ordinance or regulation (including, but not limited to, those governing, consumer protection, unfair competition, anti-discrimination or false advertising);
      • That is, or may reasonably be considered to be, defamatory, libelous, hateful, racially or religiously biased or offensive, unlawfully threatening or unlawfully harassing to any individual, partnership or corporation;
      • For which you were compensated or granted any consideration by any unapproved third party;
      • That includes any information that references other websites, addresses, email addresses, contact information or phone numbers;
      • That contains any computer viruses, worms or other potentially damaging computer programs or files.
      You agree to indemnify and hold Bookswagon (and its officers, directors, agents, subsidiaries, joint ventures, employees and third-party service providers, including but not limited to Bazaarvoice, Inc.), harmless from all claims, demands, and damages (actual and consequential) of every kind and nature, known and unknown including reasonable attorneys' fees, arising out of a breach of your representations and warranties set forth above, or your violation of any law or the rights of a third party.


      For any content that you submit, you grant Bookswagon a perpetual, irrevocable, royalty-free, transferable right and license to use, copy, modify, delete in its entirety, adapt, publish, translate, create derivative works from and/or sell, transfer, and/or distribute such content and/or incorporate such content into any form, medium or technology throughout the world without compensation to you. Additionally,  Bookswagon may transfer or share any personal information that you submit with its third-party service providers, including but not limited to Bazaarvoice, Inc. in accordance with  Privacy Policy


      All content that you submit may be used at Bookswagon's sole discretion. Bookswagon reserves the right to change, condense, withhold publication, remove or delete any content on Bookswagon's website that Bookswagon deems, in its sole discretion, to violate the content guidelines or any other provision of these Terms of Use.  Bookswagon does not guarantee that you will have any recourse through Bookswagon to edit or delete any content you have submitted. Ratings and written comments are generally posted within two to four business days. However, Bookswagon reserves the right to remove or to refuse to post any submission to the extent authorized by law. You acknowledge that you, not Bookswagon, are responsible for the contents of your submission. None of the content that you submit shall be subject to any obligation of confidence on the part of Bookswagon, its agents, subsidiaries, affiliates, partners or third party service providers (including but not limited to Bazaarvoice, Inc.)and their respective directors, officers and employees.

      Accept

      See All

      Inspired by your browsing history


      Your review has been submitted!

      You've already reviewed this product!
      Hello, User