Software Transparency

Foreword xxi Introduction xxv Chapter 1 Background on Software Supply Chain Threats 1 Incentives for the Attacker 1 Threat Models 2 Threat Modeling Methodologies 3 Stride 3 Stride- LM 4 Open Worldwide Application Security Project (OWASP) Risk- Rating Methodology 4 Dread 5 Using Attack Trees 5 Threat Modeling Process 6 Landmark Case 1: SolarWinds 14 Landmark Case 2: Log4j 18 Landmark Case 3: Kaseya 21 What Can We Learn from These Cases? 23 Summary 24 Chapter 2 Existing Approaches— Traditional Vendor Risk Management 25 Assessments 25 SDL Assessments 28 Application Security Maturity Models 29 Governance 30 Design 30 Implementation 31 Verification 31 Operations 32 Application Security Assurance 32 Static Application Security Testing 33 Dynamic Application Security Testing 34 Interactive Application Security Testing 35 Mobile Application Security Testing 36 Software Composition Analysis 36 Hashing and Code Signing 37 Summary 39 Chapter 3 Vulnerability Databases and Scoring Methodologies 41 Common Vulnerabilities and Exposures 41 National Vulnerability Database 44 Software Identity Formats 46 Cpe 46 Software Identification Tagging 47 Purl 49 Sonatype OSS Index 50 Open Source Vulnerability Database 51 Global Security Database 52 Common Vulnerability Scoring System 54 Base Metrics 55 Temporal Metrics 57 Environmental Metrics 58 CVSS Rating Scale 58 Critiques 59 Exploit Prediction Scoring System 59 EPSS Model 60 EPSS Critiques 62 CISA’s Take 63 Common Security Advisory Framework 63 Vulnerability Exploitability eXchange 64 Stakeholder- Specific Vulnerability Categorization and Known Exploited Vulnerabilities 65 Moving Forward 69 Summary 70 Chapter 4 Rise of Software Bill of Materials 71 SBOM in Regulations: Failures and Successes 71 NTIA: Evangelizing the Need for SBOM 72 Industry Efforts: National Labs 77 SBOM Formats 78 Software Identification (SWID) Tags 79 CycloneDX 80 Software Package Data Exchange (SPDX) 81 Vulnerability Exploitability eXchange (VEX) and Vulnerability Disclosures 82 VEX Enters the Conversation 83 VEX: Adding Context and Clarity 84 VEX vs. VDR 85 Moving Forward 88 Using SBOM with Other Attestations 89 Source Authenticity 89 Build Attestations 90 Dependency Management and Verification 90 Sigstore 92 Adoption 93 Sigstore Components 93 Commit Signing 95 SBOM Critiques and Concerns 95 Visibility for the Attacker 96 Intellectual Property 97 Tooling and Operationalization 97 Summary 98 Chapter 5 Challenges in Software Transparency 99 Firmware and Embedded Software 99 Linux Firmware 99 Real- Time Operating System Firmware 100 Embedded Systems 100 Device- Specific SBOM 100 Open Source Software and Proprietary Code 101 User Software 105 Legacy Software 106 Secure Transport 107 Summary 108 Chapter 6 Cloud and Containerization 111 Shared Responsibility Model 112 Breakdown of the Shared Responsibility Model 112 Duties of the Shared Responsibility Model 112 The 4 Cs of Cloud Native Security 116 Containers 118 Kubernetes 123 Serverless Model 128 SaaSBOM and the Complexity of APIs 129 CycloneDX SaaSBOM 130 Tooling and Emerging Discussions 132 Usage in DevOps and DevSecOps 132 Summary 135 Chapter 7 Existing and Emerging Commercial Guidance 137 Supply Chain Levels for Software Artifacts 137 Google Graph for Understanding Artifact Composition 141 CIS Software Supply Chain Security Guide 144 Source Code 145 Build Pipelines 146 Dependencies 148 Artifacts 148 Deployment 149 CNCF’s Software Supply Chain Best Practices 150 Securing the Source Code 152 Securing Materials 154 Securing Build Pipelines 155 Securing Artifacts 157 Securing Deployments 157 CNCF’s Secure Software Factory Reference Architecture 157 The Secure Software Factory Reference Architecture 158 Core Components 159 Management Components 160 Distribution Components 160 Variables and Functionality 160 Wrapping It Up 161 Microsoft’s Secure Supply Chain Consumption Framework 161 S2C2F Practices 163 S2C2F Implementation Guide 166 OWASP Software Component Verification Standard 167 SCVS Levels 168 Level 1 168 Level 2 169 Level 3 169 Inventory 169 Software Bill of Materials 170 Build Environment 171 Package Management 171 Component Analysis 173 Pedigree and Provenance 173 Open Source Policy 174 OpenSSF Scorecard 175 Security Scorecards for Open Source Projects 175 How Can Organizations Make Use of the Scorecards Project? 177 The Path Ahead 178 Summary 178 Chapter 8 Existing and Emerging Government Guidance 179 Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations 179 Critical Software 181 Security Measures for Critical Software 182 Software Verification 186 Threat Modeling 187 Automated Testing 187 Code- Based or Static Analysis and Dynamic Testing 188 Review for Hard-Coded Secrets 188 Run with Language- Provided Checks and Protection 189 Black- Box Test Cases 189 Code- Based Test Cases 189 Historical Test Cases 189 Fuzzing 190 Web Application Scanning 190 Check Included Software Components 190 NIST’s Secure Software Development Framework 191 SSDF Details 192 Prepare the Organization (PO) 193 Protect the Software (PS) 194 Produce Well- Secured Software (PW) 194 Respond to Vulnerabilities (RV) 196 NSAs: Securing the Software Supply Chain Guidance Series 197 Security Guidance for Software Developers 197 Secure Product Criteria and Management 199 Develop Secure Code 202 Verify Third- Party Components 204 Harden the Build Environment 206 Deliver the Code 207 NSA Appendices 207 Recommended Practices Guide for Suppliers 209 Prepare the Organization 209 Protect the Software 210 Produce Well- Secured Software 211 Respond to Vulnerabilities 213 Recommended Practices Guide for Customers 214 Summary 218 Chapter 9 Software Transparency in Operational Technology 219 The Kinetic Effect of Software 220 Legacy Software Risks 222 Ladder Logic and Setpoints in Control Systems 223 ICS Attack Surface 225 Smart Grid 227 Summary 228 Chapter 10 Practical Guidance for Suppliers 229 Vulnerability Disclosure and Response PSIRT 229 Product Security Incident Response Team (PSIRT) 231 To Share or Not to Share and How Much Is Too Much? 236 Copyleft, Licensing Concerns, and “As- Is” Code 238 Open Source Program Offices 240 Consistency Across Product Teams 242 Manual Effort vs. Automation and Accuracy 243 Summary 244 Chapter 11 Practical Guidance for Consumers 245 Thinking Broad and Deep 245 Do I Really Need an SBOM? 246 What Do I Do with It? 250 Receiving and Managing SBOMs at Scale 251 Reducing the Noise 253 The Divergent Workflow— I Can’t Just Apply a Patch? 254 Preparation 256 Identification 256 Analysis 257 Virtual Patch Creation 257 Implementation and Testing 258 Recovery and Follow- up 258 Long- Term Thinking 259 Summary 259 Chapter 12 Software Transparency Predictions 261 Emerging Efforts, Regulations, and Requirements 261 The Power of the U.S. Government Supply Chains to Affect Markets 267 Acceleration of Supply Chain Attacks 270 The Increasing Connectedness of Our Digital World 272 What Comes Next? 275 Index 283