Software Transparency Supply Chain Security in an Era of a Software-Driven Society

Advanced Search

Basic Search

Help

AND OR NOT

Add a row

Reset

Limit results by

Books+ Search Results

Author

Hughes, Chris.

Title

Software Transparency [electronic resource] : Supply Chain Security in an Era of a Software-Driven Society.

ISBN

9781394158508

1394158505

1394158483

9781394158485

Published

Newark : John Wiley & Sons, Incorporated, 2023.

Physical Description

1 online resource (332 p.)

Local Notes

Access is available to the Yale community.

Notes

Description based upon print version of record.

Summary

Access and use

Access restricted by licensing agreement.

Variant and related titles

O'Reilly Safari. OCLC KB.

Other formats

Print version: Hughes, Chris Software Transparency Newark : John Wiley & Sons, Incorporated,c2023

Format

Books / Online

Language

English

Added to Catalog

July 05, 2023

Contents

Cover

Title Page

Contents at a Glance

Contents

Foreword

Introduction

What Does This Book Cover?

Who Will Benefit Most from This Book?

Special Features

Chapter 1 Background on Software Supply Chain Threats

Incentives for the Attacker

Threat Models

Threat Modeling Methodologies

Stride

Stride-LM

Open Worldwide Application Security Project (OWASP) Risk-Rating Methodology

DREAD

Using Attack Trees

Threat Modeling Process

Landmark Case 1: SolarWinds

Landmark Case 2: Log4j

Landmark Case 3: Kaseya

What Can We Learn from These Cases?

Summary

Chapter 2 Existing Approaches-Traditional Vendor Risk Management

Assessments

SDL Assessments

Application Security Maturity Models

Governance

Design

Implementation

Verification

Operations

Application Security Assurance

Static Application Security Testing

Dynamic Application Security Testing

Interactive Application Security Testing

Mobile Application Security Testing

Software Composition Analysis

Hashing and Code Signing

Summary

Chapter 3 Vulnerability Databases and Scoring Methodologies

Common Vulnerabilities and Exposures

National Vulnerability Database

Software Identity Formats

CPE

Software Identification Tagging

PURL

Sonatype OSS Index

Open Source Vulnerability Database

Global Security Database

Common Vulnerability Scoring System

Base Metrics

Temporal Metrics

Environmental Metrics

CVSS Rating Scale

Critiques

Exploit Prediction Scoring System

EPSS Model

EPSS Critiques

CISA's Take

Common Security Advisory Framework

Vulnerability Exploitability eXchange

Stakeholder-Specific Vulnerability Categorization and Known Exploited Vulnerabilities

Moving Forward

Summary

Chapter 4 Rise of Software Bill of Materials

SBOM in Regulations: Failures and Successes

NTIA: Evangelizing the Need for SBOM

Industry Efforts: National Labs

SBOM Formats

Software Identification (SWID) Tags

CycloneDX

Software Package Data Exchange (SPDX)

Vulnerability Exploitability eXchange (VEX) and Vulnerability Disclosures

VEX Enters the Conversation

VEX: Adding Context and Clarity

VEX vs. VDR

Moving Forward

Using SBOM with Other Attestations

Source Authenticity

Build Attestations

Dependency Management and Verification

Sigstore

Adoption

Sigstore Components

Commit Signing

SBOM Critiques and Concerns

Visibility for the Attacker

Intellectual Property

Tooling and Operationalization

Summary

Chapter 5 Challenges in Software Transparency

Firmware and Embedded Software

Linux Firmware

Real-Time Operating System Firmware

Embedded Systems

Device-Specific SBOM

Open Source Software and Proprietary Code

User Software

Legacy Software

Secure Transport

Genre/Form

Electronic books.

Also listed under

Turner, Tony.

Friedman, Allan.

Springett, Steve.

Bookmark As

https://search.library.yale.edu/catalog/16682175

Citation

Cite

Available from:

Online

Online book

Loading holdings.

Unable to load. Retry?

Loading holdings...

Unable to load. Retry?

More info at Google books