A knowledge base comprising Software Supply Chain Security initiatives, standards, regulations, organizations, vendors, tooling, books, articles and a plethora of other learning resources from the web. The list was initially compiled to help me with my research on the topic of Software Supply Chain Security. I've now made the list public for the benefit of everyone else working in this domain. I will endeavour to keep the list up to date as best as I can.
National Telecommunications and Information Administration (NTIA)
- NTIA SBOM Resources
- SBOM FAQ
- How-To Guide for SBOM Generation
- The Minimum Elements For a Software Bill of Materials (SBOM), [PDF]
Cybersecurity and Infrastructure Security Agency (CISA)
- CISA SBOM Resources
- Types of Software Bill of Material (SBOM) Documents
- Software Bill of Materials (SBOM) Sharing Lifecycle Report, April 2023
- SBOM-a-rama 2023 Recordings
- SBOM-a-rama 2021 Recordings
- CISA recommendations on Defending Against Software Supply Chain Attacks, CISA, April 2021
- CISA Security-by-Design and -Default guidance
- 2022 Top Routinely Exploited Vulnerabilities, [PDF]
- Transforming the Vulnerability Management Landscape - CISA blog on outlining three critical steps to advance the vulnerability management ecosystem.
- CISA Open Source Software Security Roadmap, [PDF]
- CISA Hardware Bill of Materials (HBOM) Framework for Supply Chain Risk Management, [PDF]
- Improving Security of Open Source Software (OSS) in Operational Technology (OT) and Industrial Control Systems (ICS)
- CISA Software Identification Ecosystem Option Analysis white paper, [PDF]
- Securing the Software Supply Chain: Recommended Practices for Software Bill of Materials Consumption, [PDF], November 2023
- Securing the Software Supply Chain: Recommended Practices for Managing Open-Source Software and Software Bill of Materials, December 2023
The White House - Office of the National Cyber Director (ONCD)
- Request for Information: Open-Source Software Security: Areas of Long-Term Focus and Prioritization, [Public comments to RFI]
- National Cybersecurity Strategy 2023
National Institute of Standards and Technology (NIST)
- Improving the Nation's Cybersecurity: NIST’s Responsibilities Under the May 2021 Executive Order
- NIST SP 800-218: Secure Software Development Framework (SSDF)
- NIST SP 800-204D - Strategies for the Integration of Software Supply Chain Security in DevSecOps CI/CD pipelines, [PDF], (Initial Public Draft) - August 2023, Comments Due Date: October 13, 2023
- NIST SP 800-161 Rev.1: Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, May 2022
Open Worldwide Application Security Project (OWASP)
- OWASP Software Component Verification Standard
- OWASP Top 10 CI/CD Security Risks
- OWASP CycloneDX
- OWASP BOM Maturity Model
- Article on Component Analysis by Steve Springett
Open Source Security Foundation (OpenSSF)
- The Open Source Software Security Mobilization Plan
- OpenSSF Working Groups
- OpenSSF sigstore
- Securing Your Software Supply Chain with Sigstore Course
- OpenSSF Scorecard, [GitHub]
- OpenSSF Source Code Management Best Practices Guide
- OpenSSF Threat Model of Enterprise Open Source Supply Chains
- SBOMit: Adding Verification to SBOMs, [GitHub]
Cloud Native Computing Foundation (CNCF)
- Software Supply Chain Security
- CNCF Software Supply Chain Best Practices, [GitHub]
- Secure Software Factory Reference Architecture
- Factory for Repeatable Secure Creation of Artifacts (FRSCA)
- EO-14028 - Executive Order on Improving the Nation’s Cybersecurity, May 12, 2021
- The European Cyber Resilience Act (CRA), September 2022
- Supply-chain Levels for Software Artifacts (SLSA), [GitHub], [Google]
- OWASP Software Component Verification Standard (SCVS)
- NIST SP 800-218: Secure Software Development Framework (SSDF)
- NIST recommendations on Defending Against Software Supply Chain Attacks, NIST, April 2021
- OASIS Common Security Advisory Framework (CSAF), [GitHub] - Common Security Advisory Framework (CSAF) is a language to exchange Security Advisories and allows stakeholders to automate the creation and consumption of security vulnerability information and remediation.
- Defending Continuous Integration/Continuous Delivery (CI/CD) Environments, NSA and CISA joint Cybersecurity Information Sheet (CSI), June 2023
- Securing the Software Supply Chain: Recommended Practices Guide for Customers, ESF Partners, NSA, and CISA Release Software Supply Chain Guidance for Customers [Press Release], November 2022
- Securing the Software Supply Chain: Recommended Practices Guide for Suppliers, ESF Partners, NSA, and CISA Release Software Supply Chain Guidance for Suppliers [Press Release], October 2022
- Securing the Software Supply Chain: Recommended Practices Guide for Developers, NSA, CISA, ODNI Release Software Supply Chain Guidance for Developers [Press Release], August 2022
- CIS Software Supply Chain Security Guide v1.0, June 2022
- NSA CSI on Recommendations for Software Bill of Materials (SBOM) Management, December 2023
- Microsoft Secure Supply Chain Consumption Framework (S2C2F)[GitHub]
- Blueprint for building modern, secure software development pipelines
- in-toto [GitHub] - A framework to secure the integrity of software supply chains. It does so by verifying that each task in the chain is carried out as planned, by authorized personnel only, and that the product is not tampered with in transit.
- Trusted Attestation and Compliance for Open Source (TACOS) Framework - TACOS is a framework for attesting to the secure software development practices of open source packages.
- The Update Framework (TUF), Repository Service for TUF (RSTUF) - A framework for securing software update systems
- ODNI Supply Chain Risk Management Documentation
- Supply Chain Integrity, Transparency, and Trust (SCITT), [GitHub], [SCIM GitHub] - The Supply Chain Integrity, Transparency and Trust (SCITT) initiative is a set of proposed IETF industry standards for managing the compliance of goods and services across end-to-end supply chains.
- MITRE Supply Chain Security System of Trust (SoT) initiative
- OpenPubkey Project, [GitHub], [Signing Docker Official Images Using OpenPubkey]
- Tekton Chains - Artifact signatures and attestations for Tekton CI/CD systems
- Notary, [GitHub] - A CNCF incubating project aiming to provide enterprise-grade solutions and cross-industry standards for Signing and validating software artifacts.
- SLSA Threats & Mitigations
- Google article on Software Supply Chain Threats
- MITRE ATT&CK Supply Chain Compromise Techniques
- CAPEC Supply-Chain Attack Vectors
- CNCF Catalog of Types of Supply Chain Compromises
- Open Software Supply Chain Attack Reference (OSC&R), [GitHub]
- OWASP Top 10 CI/CD Security Risks
- Microsoft Open Source Software Supply Chain Threats catalogue
- Top 10 Open Source Software (OSS) Risks, [PDF]
- Worldwide software supply chain attacks tracker (updated daily)
- CNCF Tag Security - Catalog of Supply Chain Compromises
- IQT Labs - Software Supply Chain Compromises
- ReversingLabs - A (Partial) History of Software Supply Chain Attacks
- Sonatype - A History of Software Supply Chain Attacks - July 2017–Present
- PowerHell: Active Flaws in PowerShell Gallery Expose Users to Attacks, August 2023
- Software Supply Chain Attacks - An Illustrated Typological Review, January 2023
- ENISA Threat Landscape for Supply Chain Attacks, July 2021
- Atlantic Council's BREAKING TRUST: Shades of Crisis Across an Insecure Software Supply Chain, July 2020
- Backstabber’s Knife Collection: A Review of Open Source Software Supply Chain Attacks, July 2020
- Risk Explorer for Software Supply Chains, [Attack Vectors], [Safeguards], [Research Paper], [GitHub]
- ODNI Software Supply Chain Attacks - 2023 Edition
- ODNI Software Supply Chain Attacks - 2021 Edition
- ODNI Software Supply Chain Attacks - 2017 Edition
- CVE (New), CVE (Old)
- National Vulnerability Database (NVD)
- VulnDB
- The Exploit Database
- Open Source Vulnerability Database (OSV)
- Global Security Database (GSD)
- Sonatype OSS Index
- Snyk Vulnerability DB
- Open Source Insights - Open Source Insights is a service developed and hosted by Google to help developers better understand the structure, construction, and security of open source software packages.
- VulnerableCode - VulnerableCode provides an open database of software packages that are affected by known security vulnerabilities.
- Vulnerability Exploitability eXchange (VEX)
- VEX Use Cases
- VEX Status Justification
- Minimum Requirements for Vulnerability Exploitability eXchange (VEX), [PDF]
- When to Issue VEX Information
- VDR vs VEX
- What is the Vulnerability Exploitability eXchange (VEX)?
- OpenVEX Specification
- OASIS CSAF Specification
- Software Bill of Materials (SBOM)
- Software as a Service Bill of Materials (SaaSBOM)
- Hardware Bill of Materials (HBOM)
- Machine Learning Bill of Materials (MLBOM)
- Manufacturing Bill of Materials (MBOM)
- Operations Bill of Materials (OBOM)
- Cryptography Bill of Materials (CBOM)
- SBOM Hall of Fame - A place for the InfoSec community to share and celebrate real stories of organizations successfully using SBOMs (and other bills of material) to actually manage and reduce security risk in meaningful ways.
- FOSS SBOM Management @ Mercedes-Benz: This is how we do it!, November 2023
- Cisco Demonstrating Transparency through Software Bill of Materials (SBOM), August 2023
- Introducing Software Bill of Materials for Confluent Platform, July 2023
- GitLab Software Supply Chain Security Direction
- kubernetes bom tool
- Microsoft’s SBOM Tool
- spdx-sbom-generator
- syft
- Tern - A software package inspection tool to generate Software Bill of Materials (SBOM) for containers.
- Trivy
- OWASP Dependency-Track
- Graph for Understanding Artifact Composition (GUAC), [GitHub], [Google Article], [YouTube]
- Grype - A vulnerability scanner for container images and filesystems. Grype Works with Syft, the SBOM generation tool for container images and filesystems.
- NTIA Conformance Checker
- protobom - Protobom offers a format-neutral representation of SBOM package and file data and the ability to translate this data between popular SBOM formats.
- bomshell - Bomshell is an SBOM programming interface and workbench that lets users query and remix data from SBOMs to extract and model software to generate new SBOMs that are structured and contain the data that SBOM ingestion tools expect.
- bobber - bomber scans the closed source SBOMs that are provided when you receive them from vendors. It can scan open source SBOMs too, and technically you could use bomber as an open source SCA tool if you wanted to.
- Exporting SBOMs with Amazon Inspector
- Using SBOM to find vulnerable container images running on Amazon EKS clusters
- Best Practices to help secure your container image build pipeline by using AWS Signer
- Securing the Software Supply Chain - Protect your application development lifecycle by Michael Lieberman and Brandon Lum, Release date: Expected Spring 2024
- Software Supply Chain Security: Securing the End-to-End Supply Chain for Software, Firmware, and Hardware by Cassie Crossley, Release date: Expected January 2024
- Software Transparency - Supply Chain Security in an Era of Software-Driven Society by Chris Huges and Tony Turner, Release date: June 2023
- Sonatype 9th Annual State of the Software Supply Chain, Sonatype, 2023
- Snyk State of Open Source Security 2023 Report, Snyk, 2023
- Synopsis Open Source Security and Risk Analysis Report, Synopsis, 2023
- The State of Dependency Management, Endor Labs, 2023
- The State of Software Supply Chain Security 2023, ReversingLabs, 2023
- Sonatype 8th Annual State of the Software Supply Chain report, Sonatype, 2022
- OpenSSF Annual Report, OpenSSF, 2022
- Software Bill of Materials (SBOM) and Cybersecurity Readiness, The Linux Foundation, January 2022
- The State of Enterprise Open Source, RedHat, 2022
- The State of Open Source Security Vulnerabilities, Mend, 2021
- GSMA Open Source Software Security Research Summary, GSMA, December 2020
- Snyk State of Open Source Security Report, Snyk, 2020
- State of Software Security - Open Source Edition, Veracode, 2020
- State of the Software Supply Chain - The 6th Annual Report on Global Open Source Software Development, Sonatype, 2020
- Authoritative Guide to SBOM, OWASP CycloneDX, June 2023
- Open Source Supply Chain Security course, Course material collected, curated, maintained and structured by PhD students and faculty from the KTH Royal Institute of Technology in Stockholm, Sweden
- GitHub documentation on Software Supply Chain Security
- Sonatype Software Bill of Materials (SBOM) Quick Start Guide
- SLSA mapping to other Frameworks
- Venafi - The software supply chain toolkit - An interactive guide on how to secure your third-party software
- Fostering Open Source Software Security - Blueprint for a Government Cybersecurity Open Source Program Office, Stiftung Neue Verantwortung (SNV), May 2023* Tragedy of the Digital Commons, Sharma, Chinmayi, Written: August 2022, Last Revised: May 2023
- “Always Contribute Back”: A Qualitative Study on Security Challenges of the Open Source Supply Chain, April 2023
- MITRE Whitepaper - Deliver Uncompromised: Securing Critical Software Supply Chains, September 2021
- On Systematics of the Information Security of Software Supply Chains, December 2020
- For Good Measure-Counting Broken Links: A Quant’s View of Software Supply Chain Security, December 2020
- BREAKING TRUST: Shades of Crisis Across an Insecure Software Supply Chain, July 2020
- Surviving Software Dependencies - Software reuse is finally here but comes with risks., July 2019
- Supply Chain Integrity: An overview of the ICT supply chain risks and challenges, and vision for the way forward, CISA, September 2015
- Principles and Practices for Software Bill of Materials for Medical Device Cybersecurity, Medical Device Cybersecurity Working Group, International Medical Device Regulators Forum, April 2023
- An Empirical Study on Software Bill of Materials: Where We Stand and the Road Ahead, February 2023
- Using the Software Bill of Materials for Enhancing Cybersecurity, Capgemini, January 2021
- bureado / awesome-software-supply-chain-security
- meta-fun / awesome-software-supply-chain-security
- awesomeSBOM / awesome-sbom
- AevaOnline / supply-chain-synthesis
- IQTLabs / software-supply-chain-compromises
- chainguard-dev / ssc-reading-list
- chughes757 / SecureSoftwareSupplyChain
- Malicious Dependencies
- neo4cyclone - Neo4Cyclone is a project that ingests CycloneDX SBOMs in a Neo4J database for visualisation purposes.
- Common Threat Matrix for CI/CD Pipeline - This is an ATT&CK-like matrix focused on CI/CD Pipeline risks.
None
- cicd-goat - Deliberately vulnerable CI/CD environment. Hack CI/CD pipelines, capture the flags.
- daBOM
- Tromzo Podcasts
- ConversingLabs
- Open Source Security Podcast
- Code Patrol by Contrast Security - CycloneDX 1.5: The missing link in SBOMs and software transparency?, August 2023
- Proof of Concept: Managing Software Supply Chain Woes, August 2023
- Tromzo Podcast EP 41 — SAP’s Helen Oakley on Protecting Human Well-Being by Securing Software Supply Chains, July 2023
- Tromzo Podcast EP 40 — Steve Springett on Solving Software Supply Chain Security and SBOM Challenges, July 2023
- Tromzo Podcast EP 25 — Navigating the Complex World of Software Supply Chain Security with Schneider Electric’s Cassie Crossley, March 2023
- Resilient Cyber by Chris Huges
- Tom Alrich's blog by Tom Alrich
- An Overview of Software Supply Chain Security
- Software Supply Chain Vendor Landscape
- The SEI SBOM Framework: Informing Third-Party Software Management in Your Supply Chain
- Securing the Software Supply Chain, VMWare blog
- The Rising Threat of Software Supply Chain Attacks: Managing Dependencies of Open Source projects
- The history of cybersecurity
- Lessons Not Learned From Software Supply Chain Attacks
- SBOM 101 - Answering the questions I was afraid to ask
- “SBOM” should not exist! Long live the SBOM.
- SLSA dip — At the Source of the problem!
- Are SBOMs any good? Preliminary measurement of the quality of open source project SBOMs
- I am not a supplier
- Making the Cyber Resilience Act work for open source software developers
- Software supply chain attacks – everything you need to know
- What is an SBOM, and why should you Care??
- Software Bill Of Materials (SBOM) Formats, Use Cases, and Specifications
- Are you ready with your SBOM ? Think again !
- What an SBOM can do for you
- Comparing SBOM Standards: SPDX vs. CycloneDX
- GitHub blog post on Introducing npm package provenance
- pypi-scan: A Tool for Scanning the Python Package Index for Typosquatters
- Vulnerability Exploitability eXchange explained: How VEX makes SBOMs actionable
- How a Vulnerability Exploitability eXchange can help healthcare prioritize cybersecurity risk
- What is VEX and What Does it Have to Do with SBOMs?
- VDR or VEX – Which Do I Use?
- How to Generate and Host an SBOM
- How to Analyze an SBOM
- After the Advisory
- The Challenges of Securing the Open Source Supply Chain
- A Toolbox for a Secure Software Supply Chain
- Why Do SBOM Haters Hate? Or Why Trade Associations Say the Darndest Things
- Unleashing in-toto: The API of DevSecOps
- All about OSC&R, a Software Supply Chain Security Framework
- Defense Against Novel Threats: Redesigning CI at Mercari
- OpenPubkey and Sigstore
- Open-Source Security: How Digital Infrastructure Is Built on a House of Cards by Chinmayi Sharma
- How one programmer broke the internet by deleting a tiny piece of code
- Building Trust Brick by Brick: Exploring the Landscape of Modern Secure Supply Chain Tools, October 2023
- Reflections on Trust in the Software Supply Chain by Jeremy Long, BlackHat, August 2023
- Flaming Hot SLSA! by Abhay Bhargav, 2022
- Attacking and Securing CI/CD Pipeline, 2021
- MITRE Software Bill of Materials (SBOM) Presentation, 2019
- Top 10 Open Source Software (OSS) Risks, November 2023
- SBOM & CycloneDX with Steve Springett, August 2023
- Software Identity And The Naming Of Things, 2023
- Why you need an XBOM – the eXtended Software Bill of Materials
- Securing Shopify's Software Supply Chain by Shane Lawrence, Shopify, 2022
- How to start learning about Supply Chain Security | Cloud Native Podcast, Episode 48
- Using CSAF to Respond to Supply Chain Vulnerabilities at Large Scale
- The Three Disciplines of CI/CD Security // DANIEL KRIVELEVICH
- Securing the Digital Commons: Open-Source Software Cybersecurity
None