Software Supply-Chain Security Reading List

A reading list for software supply-chain security.

Policy

• NIST 800-218: The Secure Software Development Framework

  • I Read NIST 800-218 So You Don't Have To (Chainguard)

• Executive Order 14028 (The White House)

• Dependency Issues: Solving the World's Open-Source Software Security Problem (War on the Rocks)

• Breaking trust: Shades of crisis across an insecure software supply chain (Atlantic Council)

• Securing the Digital Commons: Open-Source Software Cybersecurity (US House Committee on Science, Space, and Technology)

Incidents/Threats

• kik, left-pad, and npm (NPM blog)

• Backstabber's Knife Collection: A Review of Open Source Software Supply Chain Attacks (DIMVA20)

• Towards Using Source Code Repositories to Identify Software Supply Chain Attacks (SIGSAC20): identifying published software packages with different code from published source

• Software Supply Chain Compromises - A Living Dataset

  • Related paper
  • CNCF Dataset of incidents

• Thesis on typosquatting that made headlines. This dude pwn'ed (or could have!) thousands of machines.

• Towards Measuring Supply Chain Attacks on Package Managers for Interpreted Languages

• Dependency Confusion - So-so writing but a brilliant (and copycatted) attack vector

• Log4j described in Wired

• Risk Explorer for Software Supply Chains (SAP): attack tree for supply chain attacks

  • Has an excellent "References" page that might be a good supplement to this document, especially for incidents/threats

Solutions

• In-toto: specify your full software supply chain as a series of "steps," and verify the integrity of each step

  • In-toto: Providing farm-to-table guarantees for bits and bytes (USENIX Security 19)

• Supply-chain Levels for Software Artifacts (SLSA): "levels" of security for the supply-chain of a project (e.g., higher levels require 2-party code review for every commit)

• The Update Framework: a set of best practices for distributing software packages and other artifacts

  • Package Management Security (University of Arizona)
  • A Look in the Mirror: Attacks on Package Managers (CCS08): catalog of attacks on package managers
  • Survivable Key Compromise in Software Update Systems (CCS10): paper that introduces TUF
  • Diplomat: Using Delegations to Protect Community Repositories (NSDI16): let authors of packages sign the packages, rather than having the repo do it for them
  • Mercury: Bandwidth-Effective Prevention of Rollback Attacks Against Community Repositories (ATC17): some tricks for saving bandwidth

• Sigstore: allows signing artifacts with OIDC identities (e.g., "Log in with Facebook")

  • Supply Chain Integrity, Transparency, and Trust: proposed IETF standard (uses some similar tech to Sigstore)

• Software Bill of Materials (SBOM) (CISA): a list of ingredients that make up software components

  • CycloneDX: an SBOM specification
  • SPDX: an SBOM specification

• Common Vulnerabilities and Exposures Database (MITRE)

  • Snyk Vulnerability Scanner (Snyk)
  • Trivy Vulnerability Scanner (Aqua Security)
  • Grype Vulnerability Scanner (Anchore)
  • All About That Base Image: run vulnerability scanner over common container "base images"

• Static analysis

  • Supporting the Detection of Software Supply Chain Attacks through Unsupervised Signature Generation (arXiv)

• Secure Production Identity Framework for Everyone (SPIFFE): PKI for your organization

  • SPIRE: implementation of SPIFFE

• Tekton Chains: artifact signatures and attestations for Tekton CI pipelines

• Secure Software Factory Prototype Implementation: a prototype implementation of the CNCF's Secure Software Factory

Organizations

• Open Software Security Foundation (OpenSSF)

  • Alpha-Omega Project: find and fix vulnerabilities in OSS, and improve project security
  • Working groups
    • Identifying Security Threats in Open Source Projects
    • Best Practices for Open Source Developers
    • Securing Critical Projects
    • Security Tooling
    • Supply Chain Integrity
    • Vulnerability Disclosures
    • Securing Software Repositories

• Cloud Native Computing Foundation (CNCF)

  • Parent of TUF and in-toto (see above)
  • Technical Advisory Group on Security (TAG security)

• Continuous Delivery Foundation (CDF)

  • Parent of Tekton (see above)
  • Special Interest Group Software Supply Chain (SIG Software Supply Chain)
  • Special Interest Group Best Practices (SIG Best Practices)

Background

• Reflections on Trusting Trust

• Transparency logs: tamper-evident logs of data

  • Certificate Transparency (Communications of the ACM)
  • Certificate Transparency (Mozilla)
  • Merkle trees (Ethereum Foundation)
  • Verifiable data structures (Google)
  • How CT works (Google)

Reports and summaries

• Another reading list: lots of overlap with this one

• Top Five Challenges in Software Supply Chain Security: Observations From 30 Industry and Government Organizations (IEEE S&P22)

• State of the Software Supply Chain (Sonatype)

• The Secure Software Factory (CNCF)

  • Software Supply Chain Security Best Practices (CNCF): its predecessor