Software Supply-Chain Security Reading List

A reading list for software supply-chain security.

You should check out these other great lists; they all have lots of overlap with this one but slightly different focuses (this list tends a little more academic):

• chughes757/SecureSoftwareSupplyChain: conferences, reports, whitepapers
• bureado/awesome-software-supply-chain-security: lots of fun things (tools, proofs-of-concept); very exhaustive
• meta-fun/awesome-software-supply-chain-security: more systematic

Policy

• NIST Publications

  • NIST 800-218: The Secure Software Development Framework (cf. I Read NIST 800-218 So You Don't Have To (Chainguard))
  • NIST 800-161r1: Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations

• Executive Order 14028 (The White House, May 2021)

  • Related NIST Guidance, especially on SBOMs and vulnerability management
  • OMB Memo (September 2022)

• Securing the Software Supply Chain for Developers (NSA, CISA, ODNI, August 2022) (and our top 5 takeaways)

• Dependency Issues: Solving the World's Open-Source Software Security Problem (War on the Rocks)

• Breaking trust: Shades of crisis across an insecure software supply chain (Atlantic Council)

• Securing the Digital Commons: Open-Source Software Cybersecurity (US House Committee on Science, Space, and Technology)

Incidents/Threats

• Incidents

  • kik, left-pad, and npm (NPM blog, 2016)
  • Compromise of MiMI (chat app) update server (Trendmicro, 2022)
  • log4shell vulnerability (in log4j) (Wired, 2021)
  • Vulnerabilities in package repositories
  • PHP's PEAR and Composer (SonarSource)
  • CocoaPods, unpkg, Packagist and RubyGems (Max Justicz, 2017–2021)
    • Phishing PyPI users (Dark Reading, August 2022)

• Empirical measurement

  • Towards Using Source Code Repositories to Identify Software Supply Chain Attacks (SIGSAC20): identifying published software packages with different code from published source
  • Towards Measuring Supply Chain Attacks on Package Managers for Interpreted Languages

• Datasets

  • Software Supply Chain Compromises - A Living Dataset and Related paper
  • CNCF Dataset of incidents
  • Backstabber's Knife Collection: A Review of Open Source Software Supply Chain Attacks (DIMVA20)

• Vectors

  • Thesis on typosquatting that made headlines
  • Dependency Confusion

• Risk Explorer for Software Supply Chains (SAP): attack tree for supply chain attacks

  • Has an excellent "References" page that might be a good supplement to this document, especially for incidents/threats

Solutions

• In-toto: specify your full software supply chain as a series of "steps," and verify the integrity of each step

  • In-toto: Providing farm-to-table guarantees for bits and bytes (USENIX Security 19)

• Supply-chain Levels for Software Artifacts (SLSA): "levels" of security for the supply-chain of a project (e.g., higher levels require 2-party code review for every commit)

• The Update Framework: a set of best practices for distributing software packages and other artifacts

  • Package Management Security (University of Arizona)
  • A Look in the Mirror: Attacks on Package Managers (CCS08): catalog of attacks on package managers
  • Survivable Key Compromise in Software Update Systems (CCS10): paper that introduces TUF
  • Diplomat: Using Delegations to Protect Community Repositories (NSDI16): let authors of packages sign the packages, rather than having the repo do it for them
  • Mercury: Bandwidth-Effective Prevention of Rollback Attacks Against Community Repositories (ATC17): some tricks for saving bandwidth

• Transparency for software artifacts (see "transparency logs" below)

  • Software Distribution Transparency and Auditability
  • Contour: A Practical System for Binary Transparency
  • Reproducible Builds: Break a log, good things come in trees
  • pacman-bintrans: binary transparency for the Arch Linux Pacman package manager
  • Androind Binary Transparency
  • Mozilla Binary Transparency

• Schemes built on top of binary transparency systems

  • Sigstore: allows signing artifacts with OIDC identities (e.g., "Log in with Facebook")
    • Sigstore: Software Signing for Everyone: academic paper about Sigstore
  • Supply Chain Integrity, Transparency, and Trust: proposed IETF standard (uses some similar tech to Sigstore)
  • Gossamer: Verifiable supply-chain security for open source software.

• Software Bill of Materials (SBOM) (CISA): a list of ingredients that make up software components

  • CycloneDX: an SBOM specification
  • SPDX: an SBOM specification

• Common Vulnerabilities and Exposures Database (MITRE)

  • Snyk Vulnerability Scanner (Snyk)
  • Trivy Vulnerability Scanner (Aqua Security)
  • Grype Vulnerability Scanner (Anchore)
  • All About That Base Image: run vulnerability scanner over common container "base images"

• Static analysis

  • govulncheck
  • Supporting the Detection of Software Supply Chain Attacks through Unsupervised Signature Generation (arXiv)

• Secure Production Identity Framework for Everyone (SPIFFE): PKI for your organization

  • SPIRE: implementation of SPIFFE

• Tekton Chains: artifact signatures and attestations for Tekton CI pipelines

• Secure Software Factory Prototype Implementation: a prototype implementation of the CNCF's Secure Software Factory

• (Semi-)automatic dependency updating

  • Renovate (White Source)
  • Dependabot (GitHub)

Organizations

• Open Software Security Foundation (OpenSSF)

  • Alpha-Omega Project: find and fix vulnerabilities in OSS, and improve project security
  • Working groups
    • Identifying Security Threats in Open Source Projects
    • Best Practices for Open Source Developers
    • Securing Critical Projects
    • Security Tooling
    • Supply Chain Integrity
    • Vulnerability Disclosures
    • Securing Software Repositories

• Cloud Native Computing Foundation (CNCF)

  • Parent of TUF and in-toto (see above)
  • Technical Advisory Group on Security (TAG security)

• Continuous Delivery Foundation (CDF)

  • Parent of Tekton (see above)
  • Special Interest Group Software Supply Chain (SIG Software Supply Chain)
  • Special Interest Group Best Practices (SIG Best Practices)

Background

• Reflections on Trusting Trust

• Transparency logs: tamper-evident logs of data

  • Certificate Transparency (Communications of the ACM)
  • Certificate Transparency (Mozilla)
  • Merkle trees (Ethereum Foundation)
  • Verifiable data structures (Google)
  • How CT works (Google)

Reports and summaries

• Top Five Challenges in Software Supply Chain Security: Observations From 30 Industry and Government Organizations (IEEE S&P22)

• State of the Software Supply Chain (Sonatype)

• The Secure Software Factory (CNCF)

  • Software Supply Chain Security Best Practices (CNCF): its predecessor

• 2022 Security Trends: Software Supply Chain Survey (Anchore)

• ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses (SCORED '22)