Software Supply-Chain Security Reading List
A reading list for software supply-chain security.
You should check out these other great lists; they all have lots of overlap with this one but slightly different focuses (this list tends a little more academic):
- chughes757/SecureSoftwareSupplyChain: conferences, reports, whitepapers
- bureado/awesome-software-supply-chain-security: lots of fun things (tools, proofs-of-concept); very exhaustive
- meta-fun/awesome-software-supply-chain-security: more systematic
Policy
-
NIST Publications
- NIST 800-218: The Secure Software Development Framework (cf. I Read NIST 800-218 So You Don't Have To (Chainguard))
- NIST 800-161r1: Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations
-
Executive Order 14028 (The White House, May 2021)
- Related NIST Guidance, especially on SBOMs and vulnerability management
- OMB Memo (September 2022)
-
Securing the Software Supply Chain for Developers (NSA, CISA, ODNI, August 2022) (and our top 5 takeaways)
-
Dependency Issues: Solving the World's Open-Source Software Security Problem (War on the Rocks)
-
Breaking trust: Shades of crisis across an insecure software supply chain (Atlantic Council)
-
Securing the Digital Commons: Open-Source Software Cybersecurity (US House Committee on Science, Space, and Technology)
Incidents/Threats
-
Incidents
- kik, left-pad, and npm (NPM blog, 2016)
- Compromise of MiMI (chat app) update server (Trendmicro, 2022)
- log4shell vulnerability (in log4j) (Wired, 2021)
- Vulnerabilities in package repositories
- PHP's PEAR and Composer (SonarSource)
- CocoaPods, unpkg, Packagist and RubyGems (Max Justicz, 2017–2021)
- Phishing PyPI users (Dark Reading, August 2022)
-
Empirical measurement
- Towards Using Source Code Repositories to Identify Software Supply Chain Attacks (SIGSAC20): identifying published software packages with different code from published source
- Towards Measuring Supply Chain Attacks on Package Managers for Interpreted Languages
-
Datasets
-
Vectors
-
Risk Explorer for Software Supply Chains (SAP): attack tree for supply chain attacks
- Has an excellent "References" page that might be a good supplement to this document, especially for incidents/threats
Solutions
-
In-toto: specify your full software supply chain as a series of "steps," and verify the integrity of each step
- In-toto: Providing farm-to-table guarantees for bits and bytes (USENIX Security 19)
-
Supply-chain Levels for Software Artifacts (SLSA): "levels" of security for the supply-chain of a project (e.g., higher levels require 2-party code review for every commit)
-
The Update Framework: a set of best practices for distributing software packages and other artifacts
- Package Management Security (University of Arizona)
- A Look in the Mirror: Attacks on Package Managers (CCS08): catalog of attacks on package managers
- Survivable Key Compromise in Software Update Systems (CCS10): paper that introduces TUF
- Diplomat: Using Delegations to Protect Community Repositories (NSDI16): let authors of packages sign the packages, rather than having the repo do it for them
- Mercury: Bandwidth-Effective Prevention of Rollback Attacks Against Community Repositories (ATC17): some tricks for saving bandwidth
-
Transparency for software artifacts (see "transparency logs" below)
- Software Distribution Transparency and Auditability
- Contour: A Practical System for Binary Transparency
- Reproducible Builds: Break a log, good things come in trees
- pacman-bintrans: binary transparency for the Arch Linux Pacman package manager
- Androind Binary Transparency
- Mozilla Binary Transparency
-
Schemes built on top of binary transparency systems
- Sigstore: allows signing artifacts with OIDC identities (e.g., "Log in with Facebook")
- Sigstore: Software Signing for Everyone: academic paper about Sigstore
- Supply Chain Integrity, Transparency, and Trust: proposed IETF standard (uses some similar tech to Sigstore)
- Gossamer: Verifiable supply-chain security for open source software.
- Sigstore: allows signing artifacts with OIDC identities (e.g., "Log in with Facebook")
-
Software Bill of Materials (SBOM) (CISA): a list of ingredients that make up software components
-
Common Vulnerabilities and Exposures Database (MITRE)
- Snyk Vulnerability Scanner (Snyk)
- Trivy Vulnerability Scanner (Aqua Security)
- Grype Vulnerability Scanner (Anchore)
- All About That Base Image: run vulnerability scanner over common container "base images"
-
Static analysis
-
Secure Production Identity Framework for Everyone (SPIFFE): PKI for your organization
- SPIRE: implementation of SPIFFE
-
Tekton Chains: artifact signatures and attestations for Tekton CI pipelines
-
Secure Software Factory Prototype Implementation: a prototype implementation of the CNCF's Secure Software Factory
-
(Semi-)automatic dependency updating
- Renovate (White Source)
- Dependabot (GitHub)
Organizations
-
Open Software Security Foundation (OpenSSF)
- Alpha-Omega Project: find and fix vulnerabilities in OSS, and improve project security
- Working groups
- Identifying Security Threats in Open Source Projects
- Best Practices for Open Source Developers
- Securing Critical Projects
- Security Tooling
- Supply Chain Integrity
- Vulnerability Disclosures
- Securing Software Repositories
-
Cloud Native Computing Foundation (CNCF)
- Parent of TUF and in-toto (see above)
- Technical Advisory Group on Security (TAG security)
-
Continuous Delivery Foundation (CDF)
- Parent of Tekton (see above)
- Special Interest Group Software Supply Chain (SIG Software Supply Chain)
- Special Interest Group Best Practices (SIG Best Practices)
Background
-
Transparency logs: tamper-evident logs of data
- Certificate Transparency (Communications of the ACM)
- Certificate Transparency (Mozilla)
- Merkle trees (Ethereum Foundation)
- Verifiable data structures (Google)
- How CT works (Google)
Reports and summaries
-
Top Five Challenges in Software Supply Chain Security: Observations From 30 Industry and Government Organizations (IEEE S&P22)
-
State of the Software Supply Chain (Sonatype)
-
The Secure Software Factory (CNCF)
- Software Supply Chain Security Best Practices (CNCF): its predecessor
-
2022 Security Trends: Software Supply Chain Survey (Anchore)
-
ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses (SCORED '22)