Software Supply Chain Security - Helion

ebook

Autor: Cassie Crossley
ISBN: 9781098133665
stron: 244, Format: ebook
Data wydania: 2024-02-02
Księgarnia: Helion

Cena książki: 141,94 zł (poprzednio: 197,14 zł)
Oszczędzasz: 28% (-55,20 zł)

Osoby, które kupiły tę książkę, wybierały także »

Trillions of lines of code help us in our lives, companies, and organizations. But just a single software cybersecurity vulnerability can stop entire companies from doing business and cause billions of dollars in revenue loss and business recovery. Securing the creation and deployment of software, also known as software supply chain security, goes well beyond the software development process.

This practical book gives you a comprehensive look at security risks and identifies the practical controls you need to incorporate into your end-to-end software supply chain. Author Cassie Crossley demonstrates how and why everyone involved in the supply chain needs to participate if your organization is to improve the security posture of its software, firmware, and hardware.

With this book, you'll learn how to:

Pinpoint the cybersecurity risks in each part of your organization's software supply chain
Identify the roles that participate in the supply chain—including IT, development, operations, manufacturing, and procurement
Design initiatives and controls for each part of the supply chain using existing frameworks and references
Implement secure development lifecycle, source code security, software build management, and software transparency practices
Evaluate third-party risk in your supply chain

Osoby które kupowały "Software Supply Chain Security", wybierały także:

Cisco CCNA 200-301. Kurs video. Administrowanie bezpieczeństwem sieci. Część 3 665,00 zł, (39,90 zł -94%)
Cisco CCNA 200-301. Kurs video. Administrowanie urządzeniami Cisco. Część 2 665,00 zł, (39,90 zł -94%)
Cisco CCNA 200-301. Kurs video. Podstawy sieci komputerowych i konfiguracji. Część 1 665,00 zł, (39,90 zł -94%)
Impact of P2P and Free Distribution on Book Sales 427,14 zł, (29,90 zł -93%)
Cisco CCNP Enterprise 350-401 ENCOR. Kurs video. Programowanie i automatyzacja sieci 443,33 zł, (39,90 zł -91%)

Spis treści

Software Supply Chain Security eBook -- spis treści

Foreword
Preface
- Who Should Read This Book
- Why I Wrote This Book
- Navigating This Book
- Conventions Used in This Book
- OReilly Online Learning
- How to Contact Us
- Acknowledgments
1. Supply Chain Security
- Supply Chain Definitions
- Software Supply Chain Security Impacts
- Requirements, Laws, Regulations, and Directives
- Summary
2. Supply Chain Frameworks and Standards
- Technology Risk Management Frameworks
  - NIST SP 800-37 Risk Management Framework (RMF)
  - ISO 31000:2018 Risk Management
  - Control Objectives for Information and Related Technologies (COBIT) 2019
  - NIST Cybersecurity Framework (CSF)
- Supply Chain Frameworks and Standards
  - NIST SP 800-161 Cybersecurity Supply Chain Risk Management for Systems and Organizations
  - UK Supplier Assurance Framework
  - MITRE System of Trust (SoT) Framework
  - ISO/IEC 20243-1:2023 Open Trusted Technology Provider Standard
  - SCS 9001 Supply Chain Security Standard
  - ISO 28000:2022 Security and Resilience
  - ISO/IEC 27036 Information Security for Supplier Relationships
- Framework and Standards Considerations Summary
- Summary
3. Infrastructure Security in the Product Lifecycle
- Developer Environments
- Code Repositories and Build Platforms
- Development Tools
- Labs and Test Environments
- Preproduction and Production Environments
- Software Distribution and Deployment Locations
- Manufacturing and Supply Chain Environments
- Customer Staging for Acceptance Tests
- Service Systems and Tools
- Summary
4. Secure Development Lifecycle
- Key Elements of an SDL
  - Security Requirements
  - Secure Design
  - Secure Development
  - Security Testing
  - Vulnerability Management
- Augmenting an SDLC with SDL
  - ISA/IEC 62443-4-1 Secure Development Lifecycle
  - NIST SSDF
  - Microsoft SDL
  - ISO/IEC 27034 Application Security
  - SAFECode
  - SDL Considerations for IoT, OT, and Embedded Systems
- Product and Application Security Metrics
- Summary
5. Source Code, Build, and Deployment Management
- Source Code Types
  - Open Source
  - Commercial
  - Proprietary
  - Operating Systems and Frameworks
  - Low-Code/No-Code
  - Generative AI Source Code
- Code Quality
  - Secure Coding Standards
  - Software Analysis Technologies
  - Code Reviews
- Source Code Integrity
  - Change Management
  - Trusted Source Code
  - Trusted Dependencies
- Build Management
  - Authentication and Authorization
  - Build Scripts and Automation
  - Repeatability and Reproducibility
  - Code Signing
- Deployment Management
- Summary
6. Cloud and DevSecOps
- Cloud Frameworks, Controls, and Assessments
  - ISO/IEC 27001 Information Security Management Systems
  - Cloud Security Alliance CCM and CAIQ
  - Cloud Security Alliance STAR Program
  - American Institute of CPAs SOC 2
  - US FedRAMP
  - Cloud Security Considerations and Requirements
- DevSecOps
  - Change Management for Cloud
  - Secure Design and Development for Cloud Applications
  - API Security
  - Testing
  - Deploying Immutable Infrastructure and Applications
  - Securing Connections
  - Operating and Monitoring
  - Site Reliability Engineering
- Summary
7. Intellectual Property and Data
- Data Classification
- People
- Technology
  - Data Security
  - Loss of Code, Keys, and Secrets
  - Design Flaws
  - Configuration Errors
  - Application Programming Interfaces (APIs)
  - Vulnerabilities
- Summary
8. Software Transparency
- Software Transparency Use Cases
- Software Bill of Materials (SBOM)
  - SBOM Formats
  - SBOM Elements
  - SBOM Limitations
  - Additional Bill of Materials (BOMs)
- Vulnerability Disclosures
- Additional Transparency Approaches
  - US CISA Secure Software Development Attestation Common Form
  - Supply Chain Integrity, Transparency, and Trust (SCITT)
  - Digital Bill of Materials and Sharing Mechanisms
  - Graph of Understanding Artifact Composition (GUAC)
  - In-Toto Attestation
  - Software Provenance
  - Practices and Technology
- Summary
9. Suppliers
- Cyber Assessments
  - Assessment Responses
  - Research
  - IT Security Including Environmental Security
  - Product/Application Security Organization
  - Product Security Processes and Secure Development Lifecycle
  - Training
  - Secure Development and Security Testing
  - Build Management, DevSecOps, and Release Management
  - Scanning, Vulnerability Management, Patching, and SLAs
  - Cloud Applications and Environments
  - Development Services
  - Manufacturing
- Cyber Agreements, Contracts, and Addendums
- Ongoing Supplier Management
  - Monitoring
  - Supplier Reviews
  - Right to Audit and Assess
- Summary
10. Manufacturing and Device Security
- Suppliers and Manufacturing Security
  - Equipment, Systems, and Network Security Configurations
  - Physical Security
- Code, Software, and Firmware Integrity
  - Tests for Integrity
  - Counterfeits
- Chain of Custody
- Device Protection Measures
  - Firmware Public Key Infrastructure (PKI)
  - Hardware Root of Trust
  - Secure Boot
  - Secure Element
  - Device Authentication
- Summary
11. People in the Software Supply Chain
- Cybersecurity Organizational Structures
- Security Champions
- Cybersecurity Awareness and Training
- Development Team
  - Secure Development Lifecycle (SDL)
  - Source Code Management
  - DevSecOps and Cloud
  - Capture-the-Flag Events
- Third-Party Suppliers
- Manufacturing and Distribution
- Customer Projects and Field Services
- End Users
- Summary
A. Security Controls
- Infrastructure Security Controls
- Secure Development Lifecycle Controls
- Source Code, Build, and Deployment Controls
- Cloud Controls
- Intellectual Property and Data Controls
- Software Transparency Controls
- Supplier Controls
- Manufacturing and Device Security Controls
- People Controls
Index