Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/OWASP/Software-Component-Verification-Standard

Software Component Verification Standard (SCVS)
https://github.com/OWASP/Software-Component-Verification-Standard

best-practices cscrm open-source owasp scrm scvs software-supply-chain supply-chain

Last synced: 29 days ago
JSON representation

Software Component Verification Standard (SCVS)

Awesome Lists containing this project

README

        

[![Build Status](https://github.com/OWASP/Software-Component-Verification-Standard/workflows/CI%20Build/badge.svg)](https://github.com/OWASP/Software-Component-Verification-Standard/actions?workflow=CI+Build)
![GitHub](https://img.shields.io/github/license/OWASP/Software-Component-Verification-Standard)
[![Slack](https://img.shields.io/badge/chat%20on-slack-46BC99.svg)](https://owasp.slack.com/messages/project-scvs)
[![Twitter](https://img.shields.io/twitter/follow/owasp_scvs.svg?label=Follow&style=social)](https://twitter.com/owasp_scvs)

# OWASP Software Component Verification Standard

The Software Component Verification Standard (SCVS) is a community-driven effort to
establish a framework for identifying activities, controls, and best practices, which can help in identifying and
reducing risk in a software supply chain.

Managing risk in the software supply chain is important to reduce the surface area of systems vulnerable to exploits,
and to measure technical debt as a barrier to remediation.

Measuring and improving software supply chain assurance is crucial for success. Organizations with supply chain visibility
are better equipped to protect their brand, increase trust, reduce time-to-market, and manage costs in the event of a
supply chain incident.

Software supply chains involve:
- technology
- people
- processes
- institutions
- and additional variables

Raising the bar for supply chain assurance requires the active participation of
risk managers, mission owners, and business units like legal and procurement, which have not traditionally been involved
with technical implementation.

Determination of risk acceptance criteria is not a problem that can be solved by enterprise tooling: it is up to risk
managers and business decision makers to evaluate the advantages and trade-offs of security measures based on system
exposure, regulatory requirements, and constrained financial and human resources. Mandates that are internally
unachievable, or that bring development or procurement to a standstill, constitute their own security and institutional
risks.

SCVS is designed to be implemented incrementally, and to allow organizations to
phase in controls at different levels over time.

### SCVS has the following goals:

* Develop a common set of activities, controls, and best-practices that can reduce risk in a software supply chain
* Identify a baseline and path to mature software supply chain vigilance