Securing the software supply chain has increasingly become a topic of interest and concern for many IT and Cybersecurity leaders across both the public and private sector. Due to seveal high profile cybersecurity breaches facilitated through software supply chain compromise, organizations are increasingly realizing both the fragility and complexity of the software supply chain. This repository is a collection of resources aggregated to help aid practitioners and leaders both understand the scope of the problem and some of the best practices and solutions to mitigate the risk associated with an insecure software supply chain.
This repo contains a collection of Secure Software Supply Chain resources. This includes conferences, whitepapers, publications, research and more.
- White House Executive Order on Improving the Nation's Cybersecurity (https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/)
- DRAFT NIST 800-218 Secure Software Development Framework (SSDF) Recommendations for Mitigating Software Vulnerabilities (https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-218-draft.pdf)
- DRAFT National Security Telecommunications Advisory Committee (NSTAC) Draft to the President: Software Assuruance in the Information and Communications Technology and Services Supply Chain (https://www.cisa.gov/sites/default/files/publications/Draft%20NSTAC%20Report%20to%20the%20President%20on%20Software%20Assurance.pdf)
- MITRE Delivery Uncompromised: Securing Critical Software Supply Chains (https://www.mitre.org/publications/technical-papers/deliver-uncompromised-securing-critical-software-supply-chains)
- Atlantic Council Breaking Trust: Shades of crisis across an insecure software supply chain (https://www.atlanticcouncil.org/wp-content/uploads/2020/07/Breaking-trust-Shades-of-crisis-across-an-insecure-software-supply-chain.pdf)
- Atlantic Council Broken Trust: Lessons from Suburnt (https://www.atlanticcouncil.org/wp-content/uploads/2021/03/BROKEN-TRUST.pdf)
- Cloud Native Computing Foundation: Catalog of Supply Chain Compromises (https://github.com/cncf/tag-security/tree/main/supply-chain-security/compromises)
- Cloud Native Computing Foundation: A Framework for Supply Chain Evaluation (https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/secure-supply-chain-assessment.md)
- Cloud Native Computing Foundation: Software Supply Chain Best Practices Whitepaper (https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf)
- Google: Protect your open source project from supply chain attacks (https://opensource.googleblog.com/2021/10/protect-your-open-source-project-from-supply-chain-attacks.html)
- Palo Alto: Unit 42 Cloud Threat Report Supply Chain Security Issues (https://www.paloaltonetworks.com/prisma/unit42-cloud-threat-research-2h21)
- Synopsis: Reduce Risk With Effective Software Supply Chain Management (https://www.synopsys.com/software-integrity/resources/white-papers/sofware-supply-chain-management.html)
- Google Cloud: shifting Left on Security - Securing Software Supply Chains (https://cloud.google.com/files/shifting-left-on-security.pdf)
- VMware Securing Software Supply Chains blog (https://blogs.vmware.com/opensource/2021/06/01/vmware-developers-help-write-a-new-cncf-whitepaper-on-best-practices-for-securing-the-software-supply-chain/)
- VMware Supply Chain Choreography - https://tanzu.vmware.com/developer/guides/supply-chain-choreography/
- CNCF Secure Software Factory Reference Architecture (https://github.com/cncf/tag-security/blob/main/supply-chain-security/secure-software-factory/Secure_Software_Factory_Whitepaper.pdf)
- CIS Software Supply Chain Security Benchmark (https://github.com/aquasecurity/chain-bench/blob/main/docs/CIS-Software-Supply-Chain-Security-Guide-v1.0.pdf)
- NTIA SBOM Homepage (https://www.ntia.gov/SBOM)
- SBOM at a Glance (https://www.ntia.gov/files/ntia/publications/sbom_at_a_glance_apr2021.pdf)
- SBOM Two Page Overview (https://www.ntia.gov/files/ntia/publications/sbom_overview_20200818.pdf)
- SBOM Explainers on YouTube (https://www.youtube.com/playlist?list=PLO2lqCK7WyTDpVmcHsy6R2HWftFkUp6zG)
- SBOM Myths vs Facts (https://www.ntia.gov/files/ntia/publications/sbom_myths_vs_facts_nov2021.pdf)
- Framing Software Component Transparency: Establishing a Common Software Bill of Materials (SBOM) – SECOND EDITION (https://www.ntia.gov/files/ntia/publications/ntia_sbom_framing_2nd_edition_20211021.pdf)
- How to Guide for SBOM Generation (https://www.ntia.gov/files/ntia/publications/howto_guide_for_sbom_generation_v1.pdf)
- Vulnerability - Explotability eXchange (VEX) - An Overview (https://www.ntia.gov/files/ntia/publications/vex_one-page_summary.pdf)
- SBOM Options and Decision Points (https://www.ntia.gov/files/ntia/publications/sbom_options_and_decision_points_20210427-1.pdf)
- Software Identity: Challenges and Guidance (https://www.ntia.gov/files/ntia/publications/ntia_sbom_software_identity-2021mar30.pdf)
- SBOM Tool Classification Taxonomy (https://www.ntia.gov/files/ntia/publications/ntia_sbom_tooling_taxonomy-2021mar30.pdf)
- Sharing and Exchanging SBOM (https://www.ntia.gov/files/ntia/publications/ntia_sbom_sharing_exchanging_sboms-10feb2021.pdf)
- SBOM and Attestations https://www.youtube.com/watch?v=wX6aTZfpJv0&t=702s
- Awesome SBOM Repository (https://github.com/awesomeSBOM/awesome-sbom)
- OWASP Global AppSec Virtual 2020 (https://www.youtube.com/playlist?list=PLpr-xdpM8wG_VUJaTWBSa6pdnlOX78Cz9)
- LinuxFoundation SupplyChainSecurityCon 2021 (https://cd.foundation/blog/2021/11/10/supplychainsecuritycon-talk-recordings-now-available/)
- NIST EO 14028 Guidelines for Enhancing Software Supply Chain Security (https://www.nist.gov/news-events/events/2021/11/executive-order-14028-guidelines-%03enhancing-software-supply-chain)
- Supply-chain Levels for Software Artifacts (SLSA) (https://slsa.dev/)
- Cybersecurity & Infrastructure Security Agency (CISA): Information and Communications Technology Supply Chain Risk Management (https://www.cisa.gov/supply-chain)
- The National Counterintelligence and Security Center: Supply Chain Risk Management Guidance (https://www.dni.gov/index.php/ncsc-newsroom/item/2153-ncsc-unveils-new-supply-chain-risk-management-guidance)
- in-toto: A Framework to secure the integrity of software supply chain (https://in-toto.io/)
- OpenSSF: Scorecard (https://github.com/ossf/scorecard)
- Google: Open Source Insights (https://deps.dev/)
- OWASP: Dependency Check (https://owasp.org/www-project-dependency-check/)
- Open Source Security Foundation (OpenSSF) (https://openssf.org/)
- sigstore: A new standard for signing, verifying and protecting software (https://www.sigstore.dev/)
- CycloneDX (https://github.com/orgs/CycloneDX/repositories) with their open-source community SBOM standard and many tools supporting different language ecosystems
- DecoderRing (https://github.com/DanBeard/DecoderRing) tool for converting between popular SBOM formats (SPDX, SWID)
- VMware Supply chain cartographer (https://cartographer.sh/docs/v0.0.6/)
- Google Security Blog: How to SLSA Part 1 - The Basics (https://security.googleblog.com/2022/04/how-to-slsa-part-1-basics.html)
- Google Security Blog: How to SLSA Part 2 - The Details (https://security.googleblog.com/2022/04/how-to-slsa-part-2-details.html)
- Google Security Blog: How to SLSA Part 3 - Putting it all together (https://security.googleblog.com/2022/04/how-to-slsa-part-3-putting-it-all.html)
- Tom Alrichs Blog: Finnaly, guidelines for using SBOMs (https://tomalrichblog.blogspot.com/2022/04/finally-guidelines-for-using-sboms.html)
- Tom Alrichs Blog: Needed: Real-time VEX (https://tomalrichblog.blogspot.com/2022/04/needed-real-time-vex.html)
- Tom Alrichs Blog: Which is the right SBOM format for us? (https://tomalrichblog.blogspot.com/2022/01/which-is-right-sbom-format-for-us.html)
Creator 1
Special thanks goes out to the various subject matter experts, researchers and practitioners who have created this content. This content benefits the entire software and security community in an effort to create a more secure digital ecosystem.