Description

Book Synopsis

Discover the new cybersecurity landscape of the interconnected software supply chain

In Software Transparency: Supply Chain Security in an Era of a Software-Driven Society, a team of veteran information security professionals delivers an expert treatment of software supply chain security. In the book, you'll explore real-world examples and guidance on how to defend your own organization against internal and external attacks. It includes coverage of topics including the history of the software transparency movement, software bills of materials, and high assurance attestations.

The authors examine the background of attack vectors that are becoming increasingly vulnerable, like mobile and social networks, retail and banking systems, and infrastructure and defense systems. You'll also discover:

  • Use cases and practical guidance for both software consumers and suppliers
  • Discussions of firmware and embedded software, as well as cloud and connected APIs

    Table of Contents

    Foreword xxi

    Introduction xxv

    Chapter 1 Background on Software Supply Chain Threats 1

    Incentives for the Attacker 1

    Threat Models 2

    Threat Modeling Methodologies 3

    Stride 3

    Stride- LM 4

    Open Worldwide Application Security Project (OWASP) Risk- Rating Methodology 4

    Dread 5

    Using Attack Trees 5

    Threat Modeling Process 6

    Landmark Case 1: SolarWinds 14

    Landmark Case 2: Log4j 18

    Landmark Case 3: Kaseya 21

    What Can We Learn from These Cases? 23

    Summary 24

    Chapter 2 Existing Approaches— Traditional Vendor Risk Management 25

    Assessments 25

    SDL Assessments 28

    Application Security Maturity Models 29

    Governance 30

    Design 30

    Implementation 31

    Verification 31

    Operations 32

    Application Security Assurance 32

    Static Application Security Testing 33

    Dynamic Application Security Testing 34

    Interactive Application Security Testing 35

    Mobile Application Security Testing 36

    Software Composition Analysis 36

    Hashing and Code Signing 37

    Summary 39

    Chapter 3 Vulnerability Databases and Scoring Methodologies 41

    Common Vulnerabilities and Exposures 41

    National Vulnerability Database 44

    Software Identity Formats 46

    Cpe 46

    Software Identification Tagging 47

    Purl 49

    Sonatype OSS Index 50

    Open Source Vulnerability Database 51

    Global Security Database 52

    Common Vulnerability Scoring System 54

    Base Metrics 55

    Temporal Metrics 57

    Environmental Metrics 58

    CVSS Rating Scale 58

    Critiques 59

    Exploit Prediction Scoring System 59

    EPSS Model 60

    EPSS Critiques 62

    CISA’s Take 63

    Common Security Advisory Framework 63

    Vulnerability Exploitability eXchange 64

    Stakeholder- Specific Vulnerability Categorization and Known Exploited Vulnerabilities 65

    Moving Forward 69

    Summary 70

    Chapter 4 Rise of Software Bill of Materials 71

    SBOM in Regulations: Failures and Successes 71

    NTIA: Evangelizing the Need for SBOM 72

    Industry Efforts: National Labs 77

    SBOM Formats 78

    Software Identification (SWID) Tags 79

    CycloneDX 80

    Software Package Data Exchange (SPDX) 81

    Vulnerability Exploitability eXchange (VEX) and Vulnerability Disclosures 82

    VEX Enters the Conversation 83

    VEX: Adding Context and Clarity 84

    VEX vs. VDR 85

    Moving Forward 88

    Using SBOM with Other Attestations 89

    Source Authenticity 89

    Build Attestations 90

    Dependency Management and Verification 90

    Sigstore 92

    Adoption 93

    Sigstore Components 93

    Commit Signing 95

    SBOM Critiques and Concerns 95

    Visibility for the Attacker 96

    Intellectual Property 97

    Tooling and Operationalization 97

    Summary 98

    Chapter 5 Challenges in Software Transparency 99

    Firmware and Embedded Software 99

    Linux Firmware 99

    Real- Time Operating System Firmware 100

    Embedded Systems 100

    Device- Specific SBOM 100

    Open Source Software and Proprietary Code 101

    User Software 105

    Legacy Software 106

    Secure Transport 107

    Summary 108

    Chapter 6 Cloud and Containerization 111

    Shared Responsibility Model 112

    Breakdown of the Shared Responsibility Model 112

    Duties of the Shared Responsibility Model 112

    The 4 Cs of Cloud Native Security 116

    Containers 118

    Kubernetes 123

    Serverless Model 128

    SaaSBOM and the Complexity of APIs 129

    CycloneDX SaaSBOM 130

    Tooling and Emerging Discussions 132

    Usage in DevOps and DevSecOps 132

    Summary 135

    Chapter 7 Existing and Emerging Commercial Guidance 137

    Supply Chain Levels for Software Artifacts 137

    Google Graph for Understanding Artifact Composition 141

    CIS Software Supply Chain Security Guide 144

    Source Code 145

    Build Pipelines 146

    Dependencies 148

    Artifacts 148

    Deployment 149

    CNCF’s Software Supply Chain Best Practices 150

    Securing the Source Code 152

    Securing Materials 154

    Securing Build Pipelines 155

    Securing Artifacts 157

    Securing Deployments 157

    CNCF’s Secure Software Factory Reference Architecture 157

    The Secure Software Factory Reference Architecture 158

    Core Components 159

    Management Components 160

    Distribution Components 160

    Variables and Functionality 160

    Wrapping It Up 161

    Microsoft’s Secure Supply Chain Consumption Framework 161

    S2C2F Practices 163

    S2C2F Implementation Guide 166

    OWASP Software Component Verification Standard 167

    SCVS Levels 168

    Level 1 168

    Level 2 169

    Level 3 169

    Inventory 169

    Software Bill of Materials 170

    Build Environment 171

    Package Management 171

    Component Analysis 173

    Pedigree and Provenance 173

    Open Source Policy 174

    OpenSSF Scorecard 175

    Security Scorecards for Open Source Projects 175

    How Can Organizations Make Use of the Scorecards Project? 177

    The Path Ahead 178

    Summary 178

    Chapter 8 Existing and Emerging Government Guidance 179

    Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations 179

    Critical Software 181

    Security Measures for Critical Software 182

    Software Verification 186

    Threat Modeling 187

    Automated Testing 187

    Code- Based or Static Analysis and Dynamic Testing 188

    Review for Hard-Coded Secrets 188

    Run with Language- Provided Checks and Protection 189

    Black- Box Test Cases 189

    Code- Based Test Cases 189

    Historical Test Cases 189

    Fuzzing 190

    Web Application Scanning 190

    Check Included Software Components 190

    NIST’s Secure Software Development Framework 191

    SSDF Details 192

    Prepare the Organization (PO) 193

    Protect the Software (PS) 194

    Produce Well- Secured Software (PW) 194

    Respond to Vulnerabilities (RV) 196

    NSAs: Securing the Software Supply Chain Guidance Series 197

    Security Guidance for Software Developers 197

    Secure Product Criteria and Management 199

    Develop Secure Code 202

    Verify Third- Party Components 204

    Harden the Build Environment 206

    Deliver the Code 207

    NSA Appendices 207

    Recommended Practices Guide for Suppliers 209

    Prepare the Organization 209

    Protect the Software 210

    Produce Well- Secured Software 211

    Respond to Vulnerabilities 213

    Recommended Practices Guide for Customers 214

    Summary 218

    Chapter 9 Software Transparency in Operational Technology 219

    The Kinetic Effect of Software 220

    Legacy Software Risks 222

    Ladder Logic and Setpoints in Control Systems 223

    ICS Attack Surface 225

    Smart Grid 227

    Summary 228

    Chapter 10 Practical Guidance for Suppliers 229

    Vulnerability Disclosure and Response PSIRT 229

    Product Security Incident Response Team (PSIRT) 231

    To Share or Not to Share and How Much Is Too Much? 236

    Copyleft, Licensing Concerns, and “As- Is” Code 238

    Open Source Program Offices 240

    Consistency Across Product Teams 242

    Manual Effort vs. Automation and Accuracy 243

    Summary 244

    Chapter 11 Practical Guidance for Consumers 245

    Thinking Broad and Deep 245

    Do I Really Need an SBOM? 246

    What Do I Do with It? 250

    Receiving and Managing SBOMs at Scale 251

    Reducing the Noise 253

    The Divergent Workflow— I Can’t Just Apply a Patch? 254

    Preparation 256

    Identification 256

    Analysis 257

    Virtual Patch Creation 257

    Implementation and Testing 258

    Recovery and Follow- up 258

    Long- Term Thinking 259

    Summary 259

    Chapter 12 Software Transparency Predictions 261

    Emerging Efforts, Regulations, and Requirements 261

    The Power of the U.S. Government Supply Chains to Affect Markets 267

    Acceleration of Supply Chain Attacks 270

    The Increasing Connectedness of Our Digital World 272

    What Comes Next? 275

    Index 283

Software Transparency

    Product form

    £22.94

    Includes FREE delivery

    RRP £26.99 – you save £4.05 (15%)

    Order before 4pm today for delivery by Mon 6 Jul 2026.

    A Paperback / softback by Chris Hughes, Tony Turner, Allan Friedman

      Trusted by thousands of customers. See 2,385+ Customer Reviews

      View other formats and editions of Software Transparency by Chris Hughes

      Publisher: John Wiley & Sons Inc
      Publication Date: 08/06/2023
      ISBN13: 9781394158485, 978-1394158485
      ISBN10: 1394158483
      Also in:
      Computer science

      Description

      Book Synopsis

      Discover the new cybersecurity landscape of the interconnected software supply chain

      In Software Transparency: Supply Chain Security in an Era of a Software-Driven Society, a team of veteran information security professionals delivers an expert treatment of software supply chain security. In the book, you'll explore real-world examples and guidance on how to defend your own organization against internal and external attacks. It includes coverage of topics including the history of the software transparency movement, software bills of materials, and high assurance attestations.

      The authors examine the background of attack vectors that are becoming increasingly vulnerable, like mobile and social networks, retail and banking systems, and infrastructure and defense systems. You'll also discover:

      • Use cases and practical guidance for both software consumers and suppliers
      • Discussions of firmware and embedded software, as well as cloud and connected APIs

        Table of Contents

        Foreword xxi

        Introduction xxv

        Chapter 1 Background on Software Supply Chain Threats 1

        Incentives for the Attacker 1

        Threat Models 2

        Threat Modeling Methodologies 3

        Stride 3

        Stride- LM 4

        Open Worldwide Application Security Project (OWASP) Risk- Rating Methodology 4

        Dread 5

        Using Attack Trees 5

        Threat Modeling Process 6

        Landmark Case 1: SolarWinds 14

        Landmark Case 2: Log4j 18

        Landmark Case 3: Kaseya 21

        What Can We Learn from These Cases? 23

        Summary 24

        Chapter 2 Existing Approaches— Traditional Vendor Risk Management 25

        Assessments 25

        SDL Assessments 28

        Application Security Maturity Models 29

        Governance 30

        Design 30

        Implementation 31

        Verification 31

        Operations 32

        Application Security Assurance 32

        Static Application Security Testing 33

        Dynamic Application Security Testing 34

        Interactive Application Security Testing 35

        Mobile Application Security Testing 36

        Software Composition Analysis 36

        Hashing and Code Signing 37

        Summary 39

        Chapter 3 Vulnerability Databases and Scoring Methodologies 41

        Common Vulnerabilities and Exposures 41

        National Vulnerability Database 44

        Software Identity Formats 46

        Cpe 46

        Software Identification Tagging 47

        Purl 49

        Sonatype OSS Index 50

        Open Source Vulnerability Database 51

        Global Security Database 52

        Common Vulnerability Scoring System 54

        Base Metrics 55

        Temporal Metrics 57

        Environmental Metrics 58

        CVSS Rating Scale 58

        Critiques 59

        Exploit Prediction Scoring System 59

        EPSS Model 60

        EPSS Critiques 62

        CISA’s Take 63

        Common Security Advisory Framework 63

        Vulnerability Exploitability eXchange 64

        Stakeholder- Specific Vulnerability Categorization and Known Exploited Vulnerabilities 65

        Moving Forward 69

        Summary 70

        Chapter 4 Rise of Software Bill of Materials 71

        SBOM in Regulations: Failures and Successes 71

        NTIA: Evangelizing the Need for SBOM 72

        Industry Efforts: National Labs 77

        SBOM Formats 78

        Software Identification (SWID) Tags 79

        CycloneDX 80

        Software Package Data Exchange (SPDX) 81

        Vulnerability Exploitability eXchange (VEX) and Vulnerability Disclosures 82

        VEX Enters the Conversation 83

        VEX: Adding Context and Clarity 84

        VEX vs. VDR 85

        Moving Forward 88

        Using SBOM with Other Attestations 89

        Source Authenticity 89

        Build Attestations 90

        Dependency Management and Verification 90

        Sigstore 92

        Adoption 93

        Sigstore Components 93

        Commit Signing 95

        SBOM Critiques and Concerns 95

        Visibility for the Attacker 96

        Intellectual Property 97

        Tooling and Operationalization 97

        Summary 98

        Chapter 5 Challenges in Software Transparency 99

        Firmware and Embedded Software 99

        Linux Firmware 99

        Real- Time Operating System Firmware 100

        Embedded Systems 100

        Device- Specific SBOM 100

        Open Source Software and Proprietary Code 101

        User Software 105

        Legacy Software 106

        Secure Transport 107

        Summary 108

        Chapter 6 Cloud and Containerization 111

        Shared Responsibility Model 112

        Breakdown of the Shared Responsibility Model 112

        Duties of the Shared Responsibility Model 112

        The 4 Cs of Cloud Native Security 116

        Containers 118

        Kubernetes 123

        Serverless Model 128

        SaaSBOM and the Complexity of APIs 129

        CycloneDX SaaSBOM 130

        Tooling and Emerging Discussions 132

        Usage in DevOps and DevSecOps 132

        Summary 135

        Chapter 7 Existing and Emerging Commercial Guidance 137

        Supply Chain Levels for Software Artifacts 137

        Google Graph for Understanding Artifact Composition 141

        CIS Software Supply Chain Security Guide 144

        Source Code 145

        Build Pipelines 146

        Dependencies 148

        Artifacts 148

        Deployment 149

        CNCF’s Software Supply Chain Best Practices 150

        Securing the Source Code 152

        Securing Materials 154

        Securing Build Pipelines 155

        Securing Artifacts 157

        Securing Deployments 157

        CNCF’s Secure Software Factory Reference Architecture 157

        The Secure Software Factory Reference Architecture 158

        Core Components 159

        Management Components 160

        Distribution Components 160

        Variables and Functionality 160

        Wrapping It Up 161

        Microsoft’s Secure Supply Chain Consumption Framework 161

        S2C2F Practices 163

        S2C2F Implementation Guide 166

        OWASP Software Component Verification Standard 167

        SCVS Levels 168

        Level 1 168

        Level 2 169

        Level 3 169

        Inventory 169

        Software Bill of Materials 170

        Build Environment 171

        Package Management 171

        Component Analysis 173

        Pedigree and Provenance 173

        Open Source Policy 174

        OpenSSF Scorecard 175

        Security Scorecards for Open Source Projects 175

        How Can Organizations Make Use of the Scorecards Project? 177

        The Path Ahead 178

        Summary 178

        Chapter 8 Existing and Emerging Government Guidance 179

        Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations 179

        Critical Software 181

        Security Measures for Critical Software 182

        Software Verification 186

        Threat Modeling 187

        Automated Testing 187

        Code- Based or Static Analysis and Dynamic Testing 188

        Review for Hard-Coded Secrets 188

        Run with Language- Provided Checks and Protection 189

        Black- Box Test Cases 189

        Code- Based Test Cases 189

        Historical Test Cases 189

        Fuzzing 190

        Web Application Scanning 190

        Check Included Software Components 190

        NIST’s Secure Software Development Framework 191

        SSDF Details 192

        Prepare the Organization (PO) 193

        Protect the Software (PS) 194

        Produce Well- Secured Software (PW) 194

        Respond to Vulnerabilities (RV) 196

        NSAs: Securing the Software Supply Chain Guidance Series 197

        Security Guidance for Software Developers 197

        Secure Product Criteria and Management 199

        Develop Secure Code 202

        Verify Third- Party Components 204

        Harden the Build Environment 206

        Deliver the Code 207

        NSA Appendices 207

        Recommended Practices Guide for Suppliers 209

        Prepare the Organization 209

        Protect the Software 210

        Produce Well- Secured Software 211

        Respond to Vulnerabilities 213

        Recommended Practices Guide for Customers 214

        Summary 218

        Chapter 9 Software Transparency in Operational Technology 219

        The Kinetic Effect of Software 220

        Legacy Software Risks 222

        Ladder Logic and Setpoints in Control Systems 223

        ICS Attack Surface 225

        Smart Grid 227

        Summary 228

        Chapter 10 Practical Guidance for Suppliers 229

        Vulnerability Disclosure and Response PSIRT 229

        Product Security Incident Response Team (PSIRT) 231

        To Share or Not to Share and How Much Is Too Much? 236

        Copyleft, Licensing Concerns, and “As- Is” Code 238

        Open Source Program Offices 240

        Consistency Across Product Teams 242

        Manual Effort vs. Automation and Accuracy 243

        Summary 244

        Chapter 11 Practical Guidance for Consumers 245

        Thinking Broad and Deep 245

        Do I Really Need an SBOM? 246

        What Do I Do with It? 250

        Receiving and Managing SBOMs at Scale 251

        Reducing the Noise 253

        The Divergent Workflow— I Can’t Just Apply a Patch? 254

        Preparation 256

        Identification 256

        Analysis 257

        Virtual Patch Creation 257

        Implementation and Testing 258

        Recovery and Follow- up 258

        Long- Term Thinking 259

        Summary 259

        Chapter 12 Software Transparency Predictions 261

        Emerging Efforts, Regulations, and Requirements 261

        The Power of the U.S. Government Supply Chains to Affect Markets 267

        Acceleration of Supply Chain Attacks 270

        The Increasing Connectedness of Our Digital World 272

        What Comes Next? 275

        Index 283

      Recently viewed products

      © 2026 Book Curl

        • American Express
        • Apple Pay
        • Diners Club
        • Discover
        • Google Pay
        • Maestro
        • Mastercard
        • PayPal
        • Shop Pay
        • Union Pay
        • Visa

        Login

        Forgot your password?

        Don't have an account yet?
        Create account