Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/chainguard-dev/ssc-reading-list

A reading list for software supply-chain security.
https://github.com/chainguard-dev/ssc-reading-list

Last synced: 28 days ago
JSON representation

A reading list for software supply-chain security.

Awesome Lists containing this project

README

        

# Software Supply-Chain Security Reading List

A reading list for software supply-chain security.

You should check out these other great lists; they all have lots of overlap with this one but slightly different focuses (this list tends a little more academic):

- [chughes757/SecureSoftwareSupplyChain](https://github.com/chughes757/SecureSoftwareSupplyChain): conferences, reports, whitepapers
- [bureado/awesome-software-supply-chain-security](https://github.com/bureado/awesome-software-supply-chain-security): lots of fun things (tools, proofs-of-concept); very exhaustive
- [meta-fun/awesome-software-supply-chain-security](https://github.com/meta-fun/awesome-software-supply-chain-security): more systematic

Policy
======

- NIST Publications
- [NIST 800-218](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-218.pdf): The Secure Software Development Framework
(cf. [I Read NIST 800-218 So You Don't Have To](https://blog.chainguard.dev/i-read-nist-800-218-so-you-dont-have-to-heres-what-to-watch-out-for/) (Chainguard))
- [NIST 800-161r1](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-161r1.pdf): Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations

- [Executive Order 14028](https://www.federalregister.gov/documents/2021/05/17/2021-10460/improving-the-nations-cybersecurity) (The White House, May 2021)
- [Related NIST Guidance](https://www.nist.gov/itl/executive-order-14028-improving-nations-cybersecurity/software-supply-chain-security-guidance), especially on [SBOMs](https://www.nist.gov/itl/executive-order-14028-improving-nations-cybersecurity/software-security-supply-chains-software-1) and [vulnerability management](https://www.nist.gov/itl/executive-order-14028-improving-nations-cybersecurity/software-security-supply-chains-0)
- [OMB Memo](https://www.whitehouse.gov/wp-content/uploads/2022/09/M-22-18.pdf ) (September 2022)

- [Securing the Software Supply Chain for Developers](https://media.defense.gov/2022/Sep/01/2003068942/-1/-1/0/ESF_SECURING_THE_SOFTWARE_SUPPLY_CHAIN_DEVELOPERS.PDF) (NSA, CISA, ODNI, August 2022) (and [our top 5 takeaways](https://blog.chainguard.dev/top-5-takeaways-on-the-nsa-cisa-odni-developer-guidelines-for-securing-the-software-supply-chain/))

- [Dependency Issues: Solving the World's Open-Source Software Security Problem](https://warontherocks.com/2022/05/dependency-issues-solving-the-worlds-open-source-software-security-problem/) (War on the Rocks)

- [Breaking trust: Shades of crisis across an insecure software supply chain](https://www.atlanticcouncil.org/in-depth-research-reports/report/breaking-trust-shades-of-crisis-across-an-insecure-software-supply-chain/) (Atlantic Council)

- [Securing the Digital Commons: Open-Source Software Cybersecurity](https://science.house.gov/hearings/securing-the-digital-commons-open-source-software-cybersecurity) (US House Committee on Science, Space, and Technology)

Incidents/Threats
=================

- Incidents
- [kik, left-pad, and npm](https://blog.npmjs.org/post/141577284765/kik-left-pad-and-npm.html) (NPM blog, 2016)
- [Compromise of MiMI (chat app) update server](https://www.trendmicro.com/en_us/research/22/h/irontiger-compromises-chat-app-Mimi-targets-windows-mac-linux-users.html) (Trendmicro, 2022)
- [log4shell vulnerability (in log4j)](https://www.wired.com/story/log4j-flaw-hacking-internet/) (Wired, 2021)
- Vulnerabilities in package repositories
- PHP's [PEAR](https://blog.sonarsource.com/php-supply-chain-attack-on-pear/) and [Composer](https://blog.sonarsource.com/php-supply-chain-attack-on-composer/) (SonarSource)
- [CocoaPods](https://justi.cz/security/2021/04/20/cocoapods-rce.html), [unpkg](https://justi.cz/security/2018/05/23/cdn-tar-oops.html), [Packagist](https://justi.cz/security/2018/08/28/packagist-org-rce.html) and [RubyGems](https://justi.cz/security/2017/10/07/rubygems-org-rce.html) (Max Justicz, 2017–2021)
- [Phishing PyPI users](https://www.darkreading.com/cloud/phishing-campaign-targets-pypi-users-to-distribute-malicious-code) (Dark Reading, August 2022)

- Empirical measurement
- [Towards Using Source Code Repositories to Identify Software Supply Chain Attacks](https://dl.acm.org/doi/abs/10.1145/3372297.3420015?casa_token=YSsIGn2lAgUAAAAA:JKARdg_D0tPS1PerolfMMlhosOx-kbOMpcTqu6tn57rV9BGHbsacw03ORONpRclJ6yhkasajuYl2) (SIGSAC20): identifying published software packages with different code from published source
- [Towards Measuring Supply Chain Attacks on Package Managers for Interpreted Languages](https://arxiv.org/abs/2002.01139)

- Datasets
- [Software Supply Chain Compromises - A Living Dataset](https://github.com/IQTLabs/software-supply-chain-compromises) and [Related paper](https://www.usenix.org/system/files/login/articles/login_winter20_17_geer.pdf)
- [CNCF Dataset of incidents](https://github.com/cncf/tag-security/tree/main/supply-chain-security/compromises)
- [Backstabber's Knife Collection: A Review of Open Source Software Supply Chain Attacks](https://link.springer.com/chapter/10.1007/978-3-030-52683-2_2) (DIMVA20)

- Vectors
- [Thesis on typosquatting that made headlines](https://incolumitas.com/data/thesis.pdf)
- [Dependency Confusion](https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610)

- [Risk Explorer for Software Supply Chains](https://sap.github.io/risk-explorer-for-software-supply-chains/#/) (SAP): [attack tree](https://en.wikipedia.org/wiki/Attack_tree) for supply chain attacks
- Has an excellent "References" page that might be a good supplement to this document, especially for incidents/threats

Solutions
=========

- [In-toto](https://in-toto.io/): specify your full software supply chain as a series of "steps," and verify the integrity of each step
- [In-toto: Providing farm-to-table guarantees for bits and bytes](https://www.usenix.org/conference/usenixsecurity19/presentation/torres-arias) (USENIX Security 19)

- [Supply-chain Levels for Software Artifacts (SLSA)](https://slsa.dev/): "levels" of security for the supply-chain of a project (e.g., higher levels require 2-party code review for every commit)

- [The Update Framework](https://theupdateframework.io/): a set of best practices for distributing software packages and other artifacts
- [Package Management Security](https://theupdateframework.io/papers/package-management-security-tr08-02.pdf?raw=true) (University of Arizona)
- [A Look in the Mirror: Attacks on Package Managers](https://theupdateframework.io/papers/attacks-on-package-managers-ccs2008.pdf?raw=true) (CCS08): catalog of attacks on package managers
- [Survivable Key Compromise in Software Update Systems](https://theupdateframework.io/papers/survivable-key-compromise-ccs2010.pdf?raw=true) (CCS10): paper that introduces TUF
- [Diplomat: Using Delegations to Protect Community Repositories](https://theupdateframework.io/papers/protect-community-repositories-nsdi2016.pdf?raw=true) (NSDI16): let authors of packages sign the packages, rather than having the repo do it for them
- [Mercury: Bandwidth-Effective Prevention of Rollback Attacks Against Community Repositories](https://theupdateframework.io/papers/prevention-rollback-attacks-atc2017.pdf?raw=true) (ATC17): some tricks for saving bandwidth

- Transparency for software artifacts (see "transparency logs" below)
- [Software Distribution Transparency and Auditability](https://arxiv.org/abs/1711.07278)
- [Contour: A Practical System for Binary Transparency](https://arxiv.org/abs/1712.08427)
- [Reproducible Builds: Break a log, good things come in trees](https://bora.uib.no/bora-xmlui/handle/1956/20411)
- [pacman-bintrans](https://github.com/kpcyrd/pacman-bintrans): binary transparency for the Arch Linux Pacman package manager
- [Androind Binary Transparency](https://developers.google.com/android/binary_transparency)
- [Mozilla Binary Transparency](https://wiki.mozilla.org/Security/Binary_Transparency)

- Schemes built on top of binary transparency systems
- [Sigstore](https://www.sigstore.dev/): allows signing artifacts with [OIDC identities](https://openid.net/connect/) (e.g., "Log in with Facebook")
- [Sigstore: Software Signing for Everyone](https://dl.acm.org/doi/10.1145/3548606.3560596): academic paper about Sigstore
- [Supply Chain Integrity, Transparency, and Trust](https://datatracker.ietf.org/doc/html/draft-birkholz-scitt-architecture-00.html): proposed IETF standard (uses some similar tech to Sigstore)
- [Gossamer](https://gossamer.tools/): Verifiable supply-chain security for open source software.

- [Software Bill of Materials (SBOM)](https://www.cisa.gov/sbom) (CISA): a list of ingredients that make up software components
- [CycloneDX](https://cyclonedx.org/): an SBOM specification
- [SPDX](https://spdx.dev/): an SBOM specification

- [Common Vulnerabilities and Exposures Database](https://www.cve.org/) (MITRE)
- [Snyk Vulnerability Scanner](https://snyk.io/learn/vulnerability-scanner/) (Snyk)
- [Trivy Vulnerability Scanner](https://aquasecurity.github.io/trivy/v0.27.1/) (Aqua Security)
- [Grype Vulnerability Scanner](https://github.com/anchore/grype) (Anchore)
- [All About That Base Image](https://uploads-ssl.webflow.com/6228fdbc6c97145dad2a9c2b/624e2337f70386ed568d7e7e_chainguard-all-about-that-base-image.pdf): run vulnerability scanner over common container "base images"

- Static analysis
- [`govulncheck`](https://go.dev/blog/vuln)
- [Supporting the Detection of Software Supply Chain Attacks through Unsupervised Signature Generation](https://arxiv.org/abs/2011.02235) (arXiv)

- [Secure Production Identity Framework for Everyone (SPIFFE)](https://spiffe.io/): PKI for your organization
- [SPIRE](https://spiffe.io/docs/latest/spire-about/spire-concepts/): implementation of SPIFFE

- [Tekton Chains](https://tekton.dev/docs/chains/): artifact signatures and attestations for Tekton CI pipelines

- [Secure Software Factory Prototype Implementation](https://buildsec.github.io/ssf/): a prototype implementation of the CNCF's [Secure Software Factory](https://acrobat.adobe.com/link/review?uri=urn%3Aaaid%3Ascds%3AUS%3Ad35dcd5d-b284-381a-a948-0478460c7e4c#pageNum=6)

- (Semi-)automatic dependency updating
- [Renovate](https://github.com/renovatebot/renovate) (White Source)
- [Dependabot](https://github.com/dependabot/dependabot-core) (GitHub)

Organizations
=============

- [Open Software Security Foundation](https://openssf.org/) (OpenSSF)
- [Alpha-Omega Project](https://openssf.org/community/alpha-omega/): find and fix vulnerabilities in OSS, and improve project security
- [Working groups](https://openssf.org/community/openssf-working-groups/)
- Identifying Security Threats in Open Source Projects
- Best Practices for Open Source Developers
- Securing Critical Projects
- Security Tooling
- Supply Chain Integrity
- Vulnerability Disclosures
- Securing Software Repositories

- [Cloud Native Computing Foundation](https://www.cncf.io/) (CNCF)
- Parent of TUF and in-toto (see above)
- [Technical Advisory Group on Security](https://github.com/cncf/tag-security) (TAG security)

- [Continuous Delivery Foundation](https://cd.foundation/) (CDF)
- Parent of Tekton (see above)
- [Special Interest Group Software Supply Chain](https://github.com/cdfoundation/sig-software-supply-chain) (SIG Software Supply Chain)
- [Special Interest Group Best Practices](https://github.com/cdfoundation/sig-best-practices) (SIG Best Practices)

Background
==========

- [Reflections on Trusting Trust](https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_ReflectionsonTrustingTrust.pdf)

- [Transparency logs](https://transparency.dev/): tamper-evident logs of data
- [Certificate Transparency](https://dl.acm.org/doi/fullHtml/10.1145/2659897?casa_token=WUWU20zV90gAAAAA:HMEtIURfaQFCRRnvpr09dz9tE-NLZ0cVYCWDK7LNN_4RxnCPoTQpLPshOQj-breDxmVuF5-JofeP) (Communications of the ACM)
- [Certificate Transparency](https://developer.mozilla.org/en-US/docs/Web/Security/Certificate_Transparency) (Mozilla)
- [Merkle trees](https://blog.ethereum.org/2015/11/15/merkling-in-ethereum/) (Ethereum Foundation)
- [Verifiable data structures](https://transparency.dev/verifiable-data-structures/) (Google)
- [How CT works](https://certificate.transparency.dev/howctworks/) (Google)

Reports and summaries
=====================

- [Top Five Challenges in Software Supply Chain Security: Observations From 30 Industry and Government Organizations](https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=9740718&casa_token=uvuXkVAeGd0AAAAA:1qRdbyDo4wpb12N6Xu0Oxo92Wj9Quuy1eLIypdOqdGiasnbVHvX4eq7rBE7SA90Ib_br-5y6&tag=1) (IEEE S&P22)

- [State of the Software Supply Chain](https://www.sonatype.com/hubfs/Q3%202021-State%20of%20the%20Software%20Supply%20Chain-Report/SSSC-Report-2021_0913_PM_2.pdf?hsLang=en-us) (Sonatype)

- [The Secure Software Factory](https://github.com/cncf/tag-security/blob/main/supply-chain-security/secure-software-factory/Secure_Software_Factory_Whitepaper.pdf) (CNCF)
- [Software Supply Chain Security Best Practices](https://project.linuxfoundation.org/hubfs/CNCF_SSCP_v1.pdf) (CNCF): its predecessor

- [2022 Security Trends: Software Supply Chain Survey](https://anchore.com/blog/2022-security-trends-software-supply-chain-survey/) (Anchore)

- [ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses](https://scored.dev/program/) (SCORED '22)