{"product_id":"software-transparency-9781394158485","title":"Software Transparency","description":"\u003cb\u003eBook Synopsis\u003c\/b\u003e\u003cbr\u003e\u003cp\u003e\u003cb\u003eDiscover the new cybersecurity landscape of the interconnected software supply chain\u003c\/b\u003e \u003c\/p\u003e\u003cp\u003eIn \u003ci\u003eSoftware Transparency: Supply Chain Security in an Era of a Software-Driven Society, \u003c\/i\u003ea team of veteran information security professionals delivers an expert treatment of software supply chain security. In the book, you'll explore real-world examples and guidance on how to defend your own organization against internal and external attacks. It includes coverage of topics including the history of the software transparency movement, software bills of materials, and high assurance attestations. \u003c\/p\u003e\u003cp\u003eThe authors examine the background of attack vectors that are becoming increasingly vulnerable, like mobile and social networks, retail and banking systems, and infrastructure and defense systems. You'll also discover: \u003c\/p\u003e\u003cul\u003e \u003cli\u003eUse cases and practical guidance for both software consumers and suppliers\u003c\/li\u003e \u003cli\u003eDiscussions of firmware and embedded software, as well as cloud and connected APIs\u003cbr\u003e\u003cbr\u003e\u003cb\u003eTable of Contents\u003c\/b\u003e\u003cbr\u003e\u003cp\u003eForeword xxi\u003c\/p\u003e \u003cp\u003eIntroduction xxv\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 1 Background on Software Supply Chain Threats 1\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eIncentives for the Attacker 1\u003c\/p\u003e \u003cp\u003eThreat Models 2\u003c\/p\u003e \u003cp\u003eThreat Modeling Methodologies 3\u003c\/p\u003e \u003cp\u003eStride 3\u003c\/p\u003e \u003cp\u003eStride- LM 4\u003c\/p\u003e \u003cp\u003eOpen Worldwide Application Security Project (OWASP) Risk- Rating Methodology 4\u003c\/p\u003e \u003cp\u003eDread 5\u003c\/p\u003e \u003cp\u003eUsing Attack Trees 5\u003c\/p\u003e \u003cp\u003eThreat Modeling Process 6\u003c\/p\u003e \u003cp\u003eLandmark Case 1: SolarWinds 14\u003c\/p\u003e \u003cp\u003eLandmark Case 2: Log4j 18\u003c\/p\u003e \u003cp\u003eLandmark Case 3: Kaseya 21\u003c\/p\u003e \u003cp\u003eWhat Can We Learn from These Cases? 23\u003c\/p\u003e \u003cp\u003eSummary 24\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 2 Existing Approaches— Traditional Vendor Risk Management 25\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eAssessments 25\u003c\/p\u003e \u003cp\u003eSDL Assessments 28\u003c\/p\u003e \u003cp\u003eApplication Security Maturity Models 29\u003c\/p\u003e \u003cp\u003eGovernance 30\u003c\/p\u003e \u003cp\u003eDesign 30\u003c\/p\u003e \u003cp\u003eImplementation 31\u003c\/p\u003e \u003cp\u003eVerification 31\u003c\/p\u003e \u003cp\u003eOperations 32\u003c\/p\u003e \u003cp\u003eApplication Security Assurance 32\u003c\/p\u003e \u003cp\u003eStatic Application Security Testing 33\u003c\/p\u003e \u003cp\u003eDynamic Application Security Testing 34\u003c\/p\u003e \u003cp\u003eInteractive Application Security Testing 35\u003c\/p\u003e \u003cp\u003eMobile Application Security Testing 36\u003c\/p\u003e \u003cp\u003eSoftware Composition Analysis 36\u003c\/p\u003e \u003cp\u003eHashing and Code Signing 37\u003c\/p\u003e \u003cp\u003eSummary 39\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 3 Vulnerability Databases and Scoring Methodologies 41\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eCommon Vulnerabilities and Exposures 41\u003c\/p\u003e \u003cp\u003eNational Vulnerability Database 44\u003c\/p\u003e \u003cp\u003eSoftware Identity Formats 46\u003c\/p\u003e \u003cp\u003eCpe 46\u003c\/p\u003e \u003cp\u003eSoftware Identification Tagging 47\u003c\/p\u003e \u003cp\u003ePurl 49\u003c\/p\u003e \u003cp\u003eSonatype OSS Index 50\u003c\/p\u003e \u003cp\u003eOpen Source Vulnerability Database 51\u003c\/p\u003e \u003cp\u003eGlobal Security Database 52\u003c\/p\u003e \u003cp\u003eCommon Vulnerability Scoring System 54\u003c\/p\u003e \u003cp\u003eBase Metrics 55\u003c\/p\u003e \u003cp\u003eTemporal Metrics 57\u003c\/p\u003e \u003cp\u003eEnvironmental Metrics 58\u003c\/p\u003e \u003cp\u003eCVSS Rating Scale 58\u003c\/p\u003e \u003cp\u003eCritiques 59\u003c\/p\u003e \u003cp\u003eExploit Prediction Scoring System 59\u003c\/p\u003e \u003cp\u003eEPSS Model 60\u003c\/p\u003e \u003cp\u003eEPSS Critiques 62\u003c\/p\u003e \u003cp\u003eCISA’s Take 63\u003c\/p\u003e \u003cp\u003eCommon Security Advisory Framework 63\u003c\/p\u003e \u003cp\u003eVulnerability Exploitability eXchange 64\u003c\/p\u003e \u003cp\u003eStakeholder- Specific Vulnerability Categorization and Known Exploited Vulnerabilities 65\u003c\/p\u003e \u003cp\u003eMoving Forward 69\u003c\/p\u003e \u003cp\u003eSummary 70\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 4 Rise of Software Bill of Materials 71\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eSBOM in Regulations: Failures and Successes 71\u003c\/p\u003e \u003cp\u003eNTIA: Evangelizing the Need for SBOM 72\u003c\/p\u003e \u003cp\u003eIndustry Efforts: National Labs 77\u003c\/p\u003e \u003cp\u003eSBOM Formats 78\u003c\/p\u003e \u003cp\u003eSoftware Identification (SWID) Tags 79\u003c\/p\u003e \u003cp\u003eCycloneDX 80\u003c\/p\u003e \u003cp\u003eSoftware Package Data Exchange (SPDX) 81\u003c\/p\u003e \u003cp\u003eVulnerability Exploitability eXchange (VEX) and Vulnerability Disclosures 82\u003c\/p\u003e \u003cp\u003eVEX Enters the Conversation 83\u003c\/p\u003e \u003cp\u003eVEX: Adding Context and Clarity 84\u003c\/p\u003e \u003cp\u003eVEX vs. VDR 85\u003c\/p\u003e \u003cp\u003eMoving Forward 88\u003c\/p\u003e \u003cp\u003eUsing SBOM with Other Attestations 89\u003c\/p\u003e \u003cp\u003eSource Authenticity 89\u003c\/p\u003e \u003cp\u003eBuild Attestations 90\u003c\/p\u003e \u003cp\u003eDependency Management and Verification 90\u003c\/p\u003e \u003cp\u003eSigstore 92\u003c\/p\u003e \u003cp\u003eAdoption 93\u003c\/p\u003e \u003cp\u003eSigstore Components 93\u003c\/p\u003e \u003cp\u003eCommit Signing 95\u003c\/p\u003e \u003cp\u003eSBOM Critiques and Concerns 95\u003c\/p\u003e \u003cp\u003eVisibility for the Attacker 96\u003c\/p\u003e \u003cp\u003eIntellectual Property 97\u003c\/p\u003e \u003cp\u003eTooling and Operationalization 97\u003c\/p\u003e \u003cp\u003eSummary 98\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 5 Challenges in Software Transparency 99\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eFirmware and Embedded Software 99\u003c\/p\u003e \u003cp\u003eLinux Firmware 99\u003c\/p\u003e \u003cp\u003eReal- Time Operating System Firmware 100\u003c\/p\u003e \u003cp\u003eEmbedded Systems 100\u003c\/p\u003e \u003cp\u003eDevice- Specific SBOM 100\u003c\/p\u003e \u003cp\u003eOpen Source Software and Proprietary Code 101\u003c\/p\u003e \u003cp\u003eUser Software 105\u003c\/p\u003e \u003cp\u003eLegacy Software 106\u003c\/p\u003e \u003cp\u003eSecure Transport 107\u003c\/p\u003e \u003cp\u003eSummary 108\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 6 Cloud and Containerization 111\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eShared Responsibility Model 112\u003c\/p\u003e \u003cp\u003eBreakdown of the Shared Responsibility Model 112\u003c\/p\u003e \u003cp\u003eDuties of the Shared Responsibility Model 112\u003c\/p\u003e \u003cp\u003eThe 4 Cs of Cloud Native Security 116\u003c\/p\u003e \u003cp\u003eContainers 118\u003c\/p\u003e \u003cp\u003eKubernetes 123\u003c\/p\u003e \u003cp\u003eServerless Model 128\u003c\/p\u003e \u003cp\u003eSaaSBOM and the Complexity of APIs 129\u003c\/p\u003e \u003cp\u003eCycloneDX SaaSBOM 130\u003c\/p\u003e \u003cp\u003eTooling and Emerging Discussions 132\u003c\/p\u003e \u003cp\u003eUsage in DevOps and DevSecOps 132\u003c\/p\u003e \u003cp\u003eSummary 135\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 7 Existing and Emerging Commercial Guidance 137\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eSupply Chain Levels for Software Artifacts 137\u003c\/p\u003e \u003cp\u003eGoogle Graph for Understanding Artifact Composition 141\u003c\/p\u003e \u003cp\u003eCIS Software Supply Chain Security Guide 144\u003c\/p\u003e \u003cp\u003eSource Code 145\u003c\/p\u003e \u003cp\u003eBuild Pipelines 146\u003c\/p\u003e \u003cp\u003eDependencies 148\u003c\/p\u003e \u003cp\u003eArtifacts 148\u003c\/p\u003e \u003cp\u003eDeployment 149\u003c\/p\u003e \u003cp\u003eCNCF’s Software Supply Chain Best Practices 150\u003c\/p\u003e \u003cp\u003eSecuring the Source Code 152\u003c\/p\u003e \u003cp\u003eSecuring Materials 154\u003c\/p\u003e \u003cp\u003eSecuring Build Pipelines 155\u003c\/p\u003e \u003cp\u003eSecuring Artifacts 157\u003c\/p\u003e \u003cp\u003eSecuring Deployments 157\u003c\/p\u003e \u003cp\u003eCNCF’s Secure Software Factory Reference Architecture 157\u003c\/p\u003e \u003cp\u003eThe Secure Software Factory Reference Architecture 158\u003c\/p\u003e \u003cp\u003eCore Components 159\u003c\/p\u003e \u003cp\u003eManagement Components 160\u003c\/p\u003e \u003cp\u003eDistribution Components 160\u003c\/p\u003e \u003cp\u003eVariables and Functionality 160\u003c\/p\u003e \u003cp\u003eWrapping It Up 161\u003c\/p\u003e \u003cp\u003eMicrosoft’s Secure Supply Chain Consumption Framework 161\u003c\/p\u003e \u003cp\u003eS2C2F Practices 163\u003c\/p\u003e \u003cp\u003eS2C2F Implementation Guide 166\u003c\/p\u003e \u003cp\u003eOWASP Software Component Verification Standard 167\u003c\/p\u003e \u003cp\u003eSCVS Levels 168\u003c\/p\u003e \u003cp\u003eLevel 1 168\u003c\/p\u003e \u003cp\u003eLevel 2 169\u003c\/p\u003e \u003cp\u003eLevel 3 169\u003c\/p\u003e \u003cp\u003eInventory 169\u003c\/p\u003e \u003cp\u003eSoftware Bill of Materials 170\u003c\/p\u003e \u003cp\u003eBuild Environment 171\u003c\/p\u003e \u003cp\u003ePackage Management 171\u003c\/p\u003e \u003cp\u003eComponent Analysis 173\u003c\/p\u003e \u003cp\u003ePedigree and Provenance 173\u003c\/p\u003e \u003cp\u003eOpen Source Policy 174\u003c\/p\u003e \u003cp\u003eOpenSSF Scorecard 175\u003c\/p\u003e \u003cp\u003eSecurity Scorecards for Open Source Projects 175\u003c\/p\u003e \u003cp\u003eHow Can Organizations Make Use of the Scorecards Project? 177\u003c\/p\u003e \u003cp\u003eThe Path Ahead 178\u003c\/p\u003e \u003cp\u003eSummary 178\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 8 Existing and Emerging Government Guidance 179\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eCybersecurity Supply Chain Risk Management Practices for Systems and Organizations 179\u003c\/p\u003e \u003cp\u003eCritical Software 181\u003c\/p\u003e \u003cp\u003eSecurity Measures for Critical Software 182\u003c\/p\u003e \u003cp\u003eSoftware Verification 186\u003c\/p\u003e \u003cp\u003eThreat Modeling 187\u003c\/p\u003e \u003cp\u003eAutomated Testing 187\u003c\/p\u003e \u003cp\u003eCode- Based or Static Analysis and Dynamic Testing 188\u003c\/p\u003e \u003cp\u003eReview for Hard-Coded Secrets 188\u003c\/p\u003e \u003cp\u003eRun with Language- Provided Checks and Protection 189\u003c\/p\u003e \u003cp\u003eBlack- Box Test Cases 189\u003c\/p\u003e \u003cp\u003eCode- Based Test Cases 189\u003c\/p\u003e \u003cp\u003eHistorical Test Cases 189\u003c\/p\u003e \u003cp\u003eFuzzing 190\u003c\/p\u003e \u003cp\u003eWeb Application Scanning 190\u003c\/p\u003e \u003cp\u003eCheck Included Software Components 190\u003c\/p\u003e \u003cp\u003eNIST’s Secure Software Development Framework 191\u003c\/p\u003e \u003cp\u003eSSDF Details 192\u003c\/p\u003e \u003cp\u003ePrepare the Organization (PO) 193\u003c\/p\u003e \u003cp\u003eProtect the Software (PS) 194\u003c\/p\u003e \u003cp\u003eProduce Well- Secured Software (PW) 194\u003c\/p\u003e \u003cp\u003eRespond to Vulnerabilities (RV) 196\u003c\/p\u003e \u003cp\u003eNSAs: Securing the Software Supply Chain Guidance Series 197\u003c\/p\u003e \u003cp\u003eSecurity Guidance for Software Developers 197\u003c\/p\u003e \u003cp\u003eSecure Product Criteria and Management 199\u003c\/p\u003e \u003cp\u003eDevelop Secure Code 202\u003c\/p\u003e \u003cp\u003eVerify Third- Party Components 204\u003c\/p\u003e \u003cp\u003eHarden the Build Environment 206\u003c\/p\u003e \u003cp\u003eDeliver the Code 207\u003c\/p\u003e \u003cp\u003eNSA Appendices 207\u003c\/p\u003e \u003cp\u003eRecommended Practices Guide for Suppliers 209\u003c\/p\u003e \u003cp\u003ePrepare the Organization 209\u003c\/p\u003e \u003cp\u003eProtect the Software 210\u003c\/p\u003e \u003cp\u003eProduce Well- Secured Software 211\u003c\/p\u003e \u003cp\u003eRespond to Vulnerabilities 213\u003c\/p\u003e \u003cp\u003eRecommended Practices Guide for Customers 214\u003c\/p\u003e \u003cp\u003eSummary 218\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 9 Software Transparency in Operational Technology 219\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eThe Kinetic Effect of Software 220\u003c\/p\u003e \u003cp\u003eLegacy Software Risks 222\u003c\/p\u003e \u003cp\u003eLadder Logic and Setpoints in Control Systems 223\u003c\/p\u003e \u003cp\u003eICS Attack Surface 225\u003c\/p\u003e \u003cp\u003eSmart Grid 227\u003c\/p\u003e \u003cp\u003eSummary 228\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 10 Practical Guidance for Suppliers 229\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eVulnerability Disclosure and Response PSIRT 229\u003c\/p\u003e \u003cp\u003eProduct Security Incident Response Team (PSIRT) 231\u003c\/p\u003e \u003cp\u003eTo Share or Not to Share and How Much Is Too Much? 236\u003c\/p\u003e \u003cp\u003eCopyleft, Licensing Concerns, and “As- Is” Code 238\u003c\/p\u003e \u003cp\u003eOpen Source Program Offices 240\u003c\/p\u003e \u003cp\u003eConsistency Across Product Teams 242\u003c\/p\u003e \u003cp\u003eManual Effort vs. Automation and Accuracy 243\u003c\/p\u003e \u003cp\u003eSummary 244\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 11 Practical Guidance for Consumers 245\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eThinking Broad and Deep 245\u003c\/p\u003e \u003cp\u003eDo I Really Need an SBOM? 246\u003c\/p\u003e \u003cp\u003eWhat Do I Do with It? 250\u003c\/p\u003e \u003cp\u003eReceiving and Managing SBOMs at Scale 251\u003c\/p\u003e \u003cp\u003eReducing the Noise 253\u003c\/p\u003e \u003cp\u003eThe Divergent Workflow— I Can’t Just Apply a Patch? 254\u003c\/p\u003e \u003cp\u003ePreparation 256\u003c\/p\u003e \u003cp\u003eIdentification 256\u003c\/p\u003e \u003cp\u003eAnalysis 257\u003c\/p\u003e \u003cp\u003eVirtual Patch Creation 257\u003c\/p\u003e \u003cp\u003eImplementation and Testing 258\u003c\/p\u003e \u003cp\u003eRecovery and Follow- up 258\u003c\/p\u003e \u003cp\u003eLong- Term Thinking 259\u003c\/p\u003e \u003cp\u003eSummary 259\u003c\/p\u003e \u003cp\u003e\u003cb\u003eChapter 12 Software Transparency Predictions 261\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eEmerging Efforts, Regulations, and Requirements 261\u003c\/p\u003e \u003cp\u003eThe Power of the U.S. Government Supply Chains to Affect Markets 267\u003c\/p\u003e \u003cp\u003eAcceleration of Supply Chain Attacks 270\u003c\/p\u003e \u003cp\u003eThe Increasing Connectedness of Our Digital World 272\u003c\/p\u003e \u003cp\u003eWhat Comes Next? 275\u003c\/p\u003e \u003cp\u003eIndex 283\u003c\/p\u003e\n\u003c\/li\u003e\n\u003c\/ul\u003e","brand":"John Wiley \u0026 Sons Inc","offers":[{"title":"Default Title","offer_id":48866615886167,"sku":"9781394158485","price":22.94,"currency_code":"GBP","in_stock":true}],"thumbnail_url":"\/\/cdn.shopify.com\/s\/files\/1\/0817\/1739\/5799\/files\/9781394158485.jpg?v=1722279476","url":"https:\/\/bookcurl.com\/products\/software-transparency-9781394158485","provider":"Book Curl","version":"1.0","type":"link"}