By now the topic of software supply chain security is clearly among the most discussed topics in the IT/Cybersecurity industry. We know from reports from groups such as Sonatype that software supply chain attacks are up 742% over the last 3 years, and we have seen incidents hit everything from proprietary software vendors to open-source software (OSS) projects and components, impacting thousands of customers and millions of users around the world.
This is why along with my co-author Tony Turner, we decided to write “Software Transparency: Supply Chain Security in an Era of a Software-Driven Society” with the publisher Wiley. Our technical editor is CycloneDX and Dependency Track founder/creator Steve Springett from OWASP, and our Foreword is written by Dr. Allan Friedman, who has spearheaded Software Bill of Materials (SBOM efforts), first for the NTIA and now CISA.
The book (available now for pre-order) is set to be published in June of 2023. Here's an overview, with walk-throughs on each chapter, explaining what we cover and what readers will learn.
Chapter 1: Background on software supply chain attacks
In this initial chapter of the book we cover various topics such as the incentives for attackers, anatomy of hypothetical software supply chain attack as well as threat modeling to mitigate the risk of software supply chain attacks. We also cover various landmark cases that have impacted proprietary software vendors, open source software (OSS) components and managed service providers (MSP)’s.
Chapter 2: Existing approaches to supply chain risk management
Following the initial chapter of the book we take a look at the traditional approaches to vendor and supply chain risk management. This includes covering various application security maturity models, application security assurance testing methodologies and tooling as well as approaches to hashing and code signing.
Chapter 3: Vulnerability databases and scoring methodologies
This chapter provides a detailed and comprehensive overview of the vulnerability database ecosystem. We discuss some of the longstanding vulnerability databases and their origins, as well as emerging databases that address some of the existing gaps. We also take a deep dive into vulnerability scoring, metrics and exploit prediction.
Chapter 4: Rise of the Software Bill of Materials (SBOM)
If you’ve been paying any attention to the software supply chain conversation, you’ve inevitably heard the term “SBOM”. This chapter is dedicated to providing an overview of the origin story of SBOM, from sources such as NTIA and CISA among others, as well as detailed breakdowns of the various SBOM formats. We also discuss the emergence of efforts such as Vulnerability Disclosure Programs and Reports, as well as Vulnerability Exploitability eXchange (VEX), which aims to provide context to SBOM’s to make them actionable for software consumers.
Chapter 5: Challenges in software transparency
One thing that is certain is that the path to software transparency is complex and challenging. In this chapter we discuss concepts such as firmware and embedded software as well as the OSS ecosystem. We also discuss user and legacy software and the challenges around secure transport of software, data and artifacts.
Chapter 6: The cloud and containerization of software
Software transparency on-premise and in the cloud look much different, each with their own unique considerations. In this chapter we cover cloud computing, different service models, complexity as well as the emergence and growth of Containers, Kubernetes and Serverless. We also discuss challenges associated with Software-as-a-Service (SaaS) and the continued adoption of DevSecOps.
Chapter 7: Existing and emerging supply chain guidance
Software supply chain security is a complicated topic. Luckily we are seeing a tremendous amount of emerging guidance, resources and best practices. This chapter is focused on covering guidance from sources such as NIST, Google, CIS, Microsoft, OWASP and others, culminating in the most comprehensive coverage of existing guidance on the topic anywhere in the industry.
Chapter 8: Software transparency in operational technology
Software transparency in IT is often the primary point of conversation around software supply chain security, that said Operational Technology (OT) doesn’t get sufficient attention. This chapter focuses on the potential kinetic effects of software, legacy software risks and also software transparency considerations and risks for industrial control systems (ICS).
Chapter 9: Practical guidance for software suppliers
Software supply chain risks most often originate through suppliers. Hence why this chapter is dedicated to providing practical guidance to software suppliers when it comes to transparency and supply chain security. Topics include vulnerability disclosure and response, product security teams, copyright concerns, the use of OSS and where and how to leverage automation.
Chapter 10: Practical guidance for software consumers
While suppliers are in the best position to address risks, it is often the consumers who bear the brunt of security incidents and data breaches. This chapter provides comprehensive guidance to software consumers on how to mitigate their risks of being impacted by software supply chain attacks. This includes guidance around the use of SBOM’s, VEX and vulnerability disclosures, understanding their software supply chain and suppliers, and the role that activities such as virtual patching play in some scenarios.
Chapter 11: Top software transparency predictions
While attempting to predict the future is futile, we do our best to take a look at the direction the industry and society is headed and what we may be able to anticipate moving forward. This includes detailed coverage of emerging regulations and requirements, the power of Governments to affect markets, the acceleration of supply chain attacks and risks associated with our ever increasingly connected societies.
Coverage includes efforts in the U.S. such as the Cyber Executive Order (EO) and National Cyber Strategy, as well as efforts from the EU, UK and others around the world. All of these efforts are aimed at addressing the systemic risk we now face as a society due to the pervasive nature of software in nearly every aspect of our lives.
Moving forward on supply chain security
It is clear that the trend of software supply chain attacks is only accelerating as malicious actors realize the value of compromising a single target, whether a proprietary software vendor, OSS component or service provider and have a massive cascading downstream impact.
This reality requires further collaboration between development, security and operations — along with a whole industry effort to adopt modernized software supply chain practices and tooling, which we touch on throughout the book.
Given the ubiquity of software in every area of society, coupled with the complex interdependencies of the modern software supply chain, it is what many refer to as a Gordian knot of a challenge that presents unprecedented levels of systemic risk.
Keep learning
- Get up to speed on securing AI/ML systems and software with our Special Report. Plus: See the Webinar: The MLephant in the Room.
- Learn how you can go beyond the SBOM with deep visibility and new controls for the software you build or buy. Learn more in our Special Report — and take a deep dive with our white paper.
- Upgrade your software security posture with RL's new guide, Software Supply Chain Security for Dummies.
- Commercial software risk is under-addressed. Get key insights with our Special Report, download the related white paper — and see our related Webinar for more insights.
Explore RL's Spectra suite: Spectra Assure for software supply chain security, Spectra Detect for scalable file analysis, Spectra Analyze for malware analysis and threat hunting, and Spectra Intelligence for reputation data and intelligence.