{"id":13717942,"url":"https://github.com/chainguard-dev/ssc-reading-list","last_synced_at":"2025-05-07T08:30:40.095Z","repository":{"id":38818417,"uuid":"491584323","full_name":"chainguard-dev/ssc-reading-list","owner":"chainguard-dev","description":"A reading list for software supply-chain security.","archived":true,"fork":false,"pushed_at":"2022-11-21T20:07:14.000Z","size":68,"stargazers_count":362,"open_issues_count":2,"forks_count":13,"subscribers_count":18,"default_branch":"main","last_synced_at":"2025-03-22T00:05:28.424Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/chainguard-dev.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2022-05-12T16:11:42.000Z","updated_at":"2025-03-19T07:51:20.000Z","dependencies_parsed_at":"2023-01-22T17:00:53.406Z","dependency_job_id":null,"html_url":"https://github.com/chainguard-dev/ssc-reading-list","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chainguard-dev%2Fssc-reading-list","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chainguard-dev%2Fssc-reading-list/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chainguard-dev%2Fssc-reading-list/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chainguard-dev%2Fssc-reading-list/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/chainguard-dev","download_url":"https://codeload.github.com/chainguard-dev/ssc-reading-list/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252842370,"owners_count":21812656,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-03T00:01:29.621Z","updated_at":"2025-05-07T08:30:39.824Z","avatar_url":"https://github.com/chainguard-dev.png","language":null,"funding_links":[],"categories":["Talks, articles, media coverage and other reading","Others"],"sub_categories":["Getting started and staying fresh"],"readme":"# Software Supply-Chain Security Reading List\n\nA reading list for software supply-chain security.\n\nYou should check out these other great lists; they all have lots of overlap with this one but slightly different focuses (this list tends a little more academic):\n\n-   [chughes757/SecureSoftwareSupplyChain](https://github.com/chughes757/SecureSoftwareSupplyChain): conferences, reports, whitepapers\n-   [bureado/awesome-software-supply-chain-security](https://github.com/bureado/awesome-software-supply-chain-security): lots of fun things (tools, proofs-of-concept); very exhaustive\n-   [meta-fun/awesome-software-supply-chain-security](https://github.com/meta-fun/awesome-software-supply-chain-security): more systematic\n\n\nPolicy\n======\n\n-   NIST Publications\n    - [NIST 800-218](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-218.pdf): The Secure Software Development Framework\n      (cf. [I Read NIST 800-218 So You Don't Have To](https://blog.chainguard.dev/i-read-nist-800-218-so-you-dont-have-to-heres-what-to-watch-out-for/) (Chainguard))\n    - [NIST 800-161r1](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-161r1.pdf): Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations\n\n-   [Executive Order 14028](https://www.federalregister.gov/documents/2021/05/17/2021-10460/improving-the-nations-cybersecurity) (The White House, May 2021)\n    - [Related NIST Guidance](https://www.nist.gov/itl/executive-order-14028-improving-nations-cybersecurity/software-supply-chain-security-guidance), especially on [SBOMs](https://www.nist.gov/itl/executive-order-14028-improving-nations-cybersecurity/software-security-supply-chains-software-1) and [vulnerability management](https://www.nist.gov/itl/executive-order-14028-improving-nations-cybersecurity/software-security-supply-chains-0)\n    - [OMB Memo](https://www.whitehouse.gov/wp-content/uploads/2022/09/M-22-18.pdf ) (September 2022)\n\n- [Securing the Software Supply Chain for Developers](https://media.defense.gov/2022/Sep/01/2003068942/-1/-1/0/ESF_SECURING_THE_SOFTWARE_SUPPLY_CHAIN_DEVELOPERS.PDF) (NSA, CISA, ODNI, August 2022) (and [our top 5 takeaways](https://blog.chainguard.dev/top-5-takeaways-on-the-nsa-cisa-odni-developer-guidelines-for-securing-the-software-supply-chain/))\n\n-   [Dependency Issues: Solving the World's Open-Source Software Security Problem](https://warontherocks.com/2022/05/dependency-issues-solving-the-worlds-open-source-software-security-problem/) (War on the Rocks)\n\n-   [Breaking trust: Shades of crisis across an insecure software supply chain](https://www.atlanticcouncil.org/in-depth-research-reports/report/breaking-trust-shades-of-crisis-across-an-insecure-software-supply-chain/) (Atlantic Council)\n\n-   [Securing the Digital Commons: Open-Source Software Cybersecurity](https://science.house.gov/hearings/securing-the-digital-commons-open-source-software-cybersecurity) (US House Committee on Science, Space, and Technology)\n\nIncidents/Threats\n=================\n\n-   Incidents\n    -   [kik, left-pad, and npm](https://blog.npmjs.org/post/141577284765/kik-left-pad-and-npm.html) (NPM blog, 2016)\n    -   [Compromise of MiMI (chat app) update server](https://www.trendmicro.com/en_us/research/22/h/irontiger-compromises-chat-app-Mimi-targets-windows-mac-linux-users.html) (Trendmicro, 2022)\n    -   [log4shell vulnerability (in log4j)](https://www.wired.com/story/log4j-flaw-hacking-internet/) (Wired, 2021)\n    - Vulnerabilities in package repositories\n\t- PHP's [PEAR](https://blog.sonarsource.com/php-supply-chain-attack-on-pear/) and [Composer](https://blog.sonarsource.com/php-supply-chain-attack-on-composer/) (SonarSource)  \n\t- [CocoaPods](https://justi.cz/security/2021/04/20/cocoapods-rce.html), [unpkg](https://justi.cz/security/2018/05/23/cdn-tar-oops.html), [Packagist](https://justi.cz/security/2018/08/28/packagist-org-rce.html) and [RubyGems](https://justi.cz/security/2017/10/07/rubygems-org-rce.html) (Max Justicz, 2017–2021)\n        - [Phishing PyPI users](https://www.darkreading.com/cloud/phishing-campaign-targets-pypi-users-to-distribute-malicious-code) (Dark Reading, August 2022)\n\n-   Empirical measurement\n    -   [Towards Using Source Code Repositories to Identify Software Supply Chain Attacks](https://dl.acm.org/doi/abs/10.1145/3372297.3420015?casa_token=YSsIGn2lAgUAAAAA:JKARdg_D0tPS1PerolfMMlhosOx-kbOMpcTqu6tn57rV9BGHbsacw03ORONpRclJ6yhkasajuYl2) (SIGSAC20): identifying published software packages with different code from published source\n    -   [Towards Measuring Supply Chain Attacks on Package Managers for Interpreted Languages](https://arxiv.org/abs/2002.01139)\n\n-   Datasets\n    -   [Software Supply Chain Compromises - A Living Dataset](https://github.com/IQTLabs/software-supply-chain-compromises) and [Related paper](https://www.usenix.org/system/files/login/articles/login_winter20_17_geer.pdf)\n    -   [CNCF Dataset of incidents](https://github.com/cncf/tag-security/tree/main/supply-chain-security/compromises)\n    -   [Backstabber's Knife Collection: A Review of Open Source Software Supply Chain Attacks](https://link.springer.com/chapter/10.1007/978-3-030-52683-2_2) (DIMVA20)\n\n-   Vectors\n    -   [Thesis on typosquatting that made headlines](https://incolumitas.com/data/thesis.pdf)\n    -   [Dependency Confusion](https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610)\n\n-   [Risk Explorer for Software Supply Chains](https://sap.github.io/risk-explorer-for-software-supply-chains/#/) (SAP): [attack tree](https://en.wikipedia.org/wiki/Attack_tree) for supply chain attacks\n    - Has an excellent \"References\" page that might be a good supplement to this document, especially for incidents/threats\n\n\nSolutions\n=========\n\n-   [In-toto](https://in-toto.io/): specify your full software supply chain as a series of \"steps,\" and verify the integrity of each step\n    -   [In-toto: Providing farm-to-table guarantees for bits and bytes](https://www.usenix.org/conference/usenixsecurity19/presentation/torres-arias) (USENIX Security 19)\n\n-   [Supply-chain Levels for Software Artifacts (SLSA)](https://slsa.dev/): \"levels\" of security for the supply-chain of a project (e.g., higher levels require 2-party code review for every commit)\n\n-   [The Update Framework](https://theupdateframework.io/): a set of best practices for distributing software packages and other artifacts\n    -   [Package Management Security](https://theupdateframework.io/papers/package-management-security-tr08-02.pdf?raw=true) (University of Arizona)\n    -   [A Look in the Mirror: Attacks on Package Managers](https://theupdateframework.io/papers/attacks-on-package-managers-ccs2008.pdf?raw=true) (CCS08): catalog of attacks on package managers\n    -   [Survivable Key Compromise in Software Update Systems](https://theupdateframework.io/papers/survivable-key-compromise-ccs2010.pdf?raw=true) (CCS10): paper that introduces TUF\n    -   [Diplomat: Using Delegations to Protect Community Repositories](https://theupdateframework.io/papers/protect-community-repositories-nsdi2016.pdf?raw=true) (NSDI16): let authors of packages sign the packages, rather than having the repo do it for them\n    -   [Mercury: Bandwidth-Effective Prevention of Rollback Attacks Against Community Repositories](https://theupdateframework.io/papers/prevention-rollback-attacks-atc2017.pdf?raw=true) (ATC17): some tricks for saving bandwidth\n\n\n-   Transparency for software artifacts (see \"transparency logs\" below)\n    - [Software Distribution Transparency and Auditability](https://arxiv.org/abs/1711.07278)\n    - [Contour: A Practical System for Binary Transparency](https://arxiv.org/abs/1712.08427)\n    - [Reproducible Builds: Break a log, good things come in trees](https://bora.uib.no/bora-xmlui/handle/1956/20411)\n    - [pacman-bintrans](https://github.com/kpcyrd/pacman-bintrans): binary transparency for the Arch Linux Pacman package manager\n    - [Androind Binary Transparency](https://developers.google.com/android/binary_transparency)\n    - [Mozilla Binary Transparency](https://wiki.mozilla.org/Security/Binary_Transparency)\n\n\n-   Schemes built on top of binary transparency systems\n    -   [Sigstore](https://www.sigstore.dev/): allows signing artifacts with [OIDC identities](https://openid.net/connect/) (e.g., \"Log in with Facebook\")\n        -   [Sigstore: Software Signing for Everyone](https://dl.acm.org/doi/10.1145/3548606.3560596): academic paper about Sigstore\n    -   [Supply Chain Integrity, Transparency, and Trust](https://datatracker.ietf.org/doc/html/draft-birkholz-scitt-architecture-00.html): proposed IETF standard (uses some similar tech to Sigstore)\n    -   [Gossamer](https://gossamer.tools/): Verifiable supply-chain security for open source software.\n\n\n-   [Software Bill of Materials (SBOM)](https://www.cisa.gov/sbom) (CISA): a list of ingredients that make up software components\n    -   [CycloneDX](https://cyclonedx.org/): an SBOM specification\n    -   [SPDX](https://spdx.dev/): an SBOM specification\n\n-   [Common Vulnerabilities and Exposures Database](https://www.cve.org/) (MITRE)\n    -   [Snyk Vulnerability Scanner](https://snyk.io/learn/vulnerability-scanner/) (Snyk)\n    -   [Trivy Vulnerability Scanner](https://aquasecurity.github.io/trivy/v0.27.1/) (Aqua Security)\n    -   [Grype Vulnerability Scanner](https://github.com/anchore/grype) (Anchore)\n    -   [All About That Base Image](https://uploads-ssl.webflow.com/6228fdbc6c97145dad2a9c2b/624e2337f70386ed568d7e7e_chainguard-all-about-that-base-image.pdf): run vulnerability scanner over common container \"base images\"\n\n-   Static analysis\n    -   [`govulncheck`](https://go.dev/blog/vuln)\n    -   [Supporting the Detection of Software Supply Chain Attacks through Unsupervised Signature Generation](https://arxiv.org/abs/2011.02235) (arXiv)\n\n-   [Secure Production Identity Framework for Everyone (SPIFFE)](https://spiffe.io/): PKI for your organization\n    -   [SPIRE](https://spiffe.io/docs/latest/spire-about/spire-concepts/): implementation of SPIFFE\n\n-   [Tekton Chains](https://tekton.dev/docs/chains/): artifact signatures and attestations for Tekton CI pipelines\n\n-   [Secure Software Factory Prototype Implementation](https://buildsec.github.io/ssf/): a prototype implementation of the CNCF's [Secure Software Factory](https://acrobat.adobe.com/link/review?uri=urn%3Aaaid%3Ascds%3AUS%3Ad35dcd5d-b284-381a-a948-0478460c7e4c#pageNum=6)\n\n-   (Semi-)automatic dependency updating\n    -   [Renovate](https://github.com/renovatebot/renovate) (White Source)\n    -   [Dependabot](https://github.com/dependabot/dependabot-core) (GitHub)\n\nOrganizations\n=============\n\n-   [Open Software Security Foundation](https://openssf.org/) (OpenSSF)\n    -   [Alpha-Omega Project](https://openssf.org/community/alpha-omega/): find and fix vulnerabilities in OSS, and improve project security\n    -   [Working groups](https://openssf.org/community/openssf-working-groups/)\n        -   Identifying Security Threats in Open Source Projects\n        -   Best Practices for Open Source Developers\n        -   Securing Critical Projects\n        -   Security Tooling\n        -   Supply Chain Integrity\n        -   Vulnerability Disclosures\n        -   Securing Software Repositories\n\n-   [Cloud Native Computing Foundation](https://www.cncf.io/) (CNCF)\n    -   Parent of TUF and in-toto (see above)\n    -   [Technical Advisory Group on Security](https://github.com/cncf/tag-security) (TAG security)\n\n-   [Continuous Delivery Foundation](https://cd.foundation/) (CDF)\n    -   Parent of Tekton (see above)\n    -   [Special Interest Group Software Supply Chain](https://github.com/cdfoundation/sig-software-supply-chain) (SIG Software Supply Chain)\n    -   [Special Interest Group Best Practices](https://github.com/cdfoundation/sig-best-practices) (SIG Best Practices)\n\nBackground\n==========\n\n-   [Reflections on Trusting Trust](https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_ReflectionsonTrustingTrust.pdf)\n\n-   [Transparency logs](https://transparency.dev/): tamper-evident logs of data\n    -   [Certificate Transparency](https://dl.acm.org/doi/fullHtml/10.1145/2659897?casa_token=WUWU20zV90gAAAAA:HMEtIURfaQFCRRnvpr09dz9tE-NLZ0cVYCWDK7LNN_4RxnCPoTQpLPshOQj-breDxmVuF5-JofeP) (Communications of the ACM)\n    -   [Certificate Transparency](https://developer.mozilla.org/en-US/docs/Web/Security/Certificate_Transparency) (Mozilla)\n    -   [Merkle trees](https://blog.ethereum.org/2015/11/15/merkling-in-ethereum/) (Ethereum Foundation)\n    -   [Verifiable data structures](https://transparency.dev/verifiable-data-structures/) (Google)\n    -   [How CT works](https://certificate.transparency.dev/howctworks/) (Google)\n\nReports and summaries\n=====================\n\n-   [Top Five Challenges in Software Supply Chain Security: Observations From 30 Industry and Government Organizations](https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=9740718\u0026casa_token=uvuXkVAeGd0AAAAA:1qRdbyDo4wpb12N6Xu0Oxo92Wj9Quuy1eLIypdOqdGiasnbVHvX4eq7rBE7SA90Ib_br-5y6\u0026tag=1) (IEEE S\u0026P22)\n\n-   [State of the Software Supply Chain](https://www.sonatype.com/hubfs/Q3%202021-State%20of%20the%20Software%20Supply%20Chain-Report/SSSC-Report-2021_0913_PM_2.pdf?hsLang=en-us) (Sonatype)\n\n-   [The Secure Software Factory](https://github.com/cncf/tag-security/blob/main/supply-chain-security/secure-software-factory/Secure_Software_Factory_Whitepaper.pdf) (CNCF)\n    -   [Software Supply Chain Security Best Practices](https://project.linuxfoundation.org/hubfs/CNCF_SSCP_v1.pdf) (CNCF): its predecessor\n\n-   [2022 Security Trends: Software Supply Chain Survey](https://anchore.com/blog/2022-security-trends-software-supply-chain-survey/) (Anchore)\n\n-   [ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses](https://scored.dev/program/) (SCORED '22)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fchainguard-dev%2Fssc-reading-list","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fchainguard-dev%2Fssc-reading-list","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fchainguard-dev%2Fssc-reading-list/lists"}