Skip to content

Latest commit

 

History

History
412 lines (357 loc) · 43 KB

README.md

File metadata and controls

412 lines (357 loc) · 43 KB

Software Supply Chain Security

Introduction

A knowledge base comprising Software Supply Chain Security initiatives, standards, regulations, organizations, vendors, tooling, books, articles and a plethora of other learning resources from the web. The list was initially compiled to help me with my research on the topic of Software Supply Chain Security. I've now made the list public for the benefit of everyone else working in this domain. I will endeavour to keep the list up to date as best as I can.

Organizations, Foundations, Working Groups

National Telecommunications and Information Administration (NTIA)

Cybersecurity and Infrastructure Security Agency (CISA)

The White House - Office of the National Cyber Director (ONCD)

National Institute of Standards and Technology (NIST)

Open Worldwide Application Security Project (OWASP)

Open Source Security Foundation (OpenSSF)

Cloud Native Computing Foundation (CNCF)

Regulations

Standards, Frameworks, Best Practices

Software Supply Chain Threats

Threats

Attacks / Compromises

Attack Research / Reports

Vulnerability Management

Vulnerability Databases

EPSS

VEX

SSVC

KEV

Software Identification

Bill of Materials (BOM)

Software Bill of Materials (SBOM)

Formats and Specifications

SBOM Lifecycle

SBOM Adoption / Implementation

Tooling

SBOM Generation

SBOM Scanning & Analysis

  • OWASP Dependency-Track
  • Graph for Understanding Artifact Composition (GUAC), [GitHub], [Google Article], [YouTube]
  • Grype - A vulnerability scanner for container images and filesystems. Grype Works with Syft, the SBOM generation tool for container images and filesystems.
  • NTIA Conformance Checker
  • protobom - Protobom offers a format-neutral representation of SBOM package and file data and the ability to translate this data between popular SBOM formats.
  • bomshell - Bomshell is an SBOM programming interface and workbench that lets users query and remix data from SBOMs to extract and model software to generate new SBOMs that are structured and contain the data that SBOM ingestion tools expect.
  • bobber - bomber scans the closed source SBOMs that are provided when you receive them from vendors. It can scan open source SBOMs too, and technically you could use bomber as an open source SCA tool if you wanted to.

SBOM Governance

Software Supply Chain Security in the Cloud

AWS

Azure

GCP

Books

Industry Reports

Guides / Documentation

Articles / White Papers

Supply Chain Attacks

Supply Chain Security

SBOM

GitHub Repos

Other Repos

GitHub Projects

Events / Conferences

None

Trainings

  • cicd-goat - Deliberately vulnerable CI/CD environment. Hack CI/CD pipelines, capture the flags.

Webinars

Podcasts

Newsletters

Blogs

Industry / Community

Experts

Vendors

From the Web

Readings

Presentations

Videos

Software Supply Chain Security & Artificial Intelligence (AI)

None

Vendors

Miscellaneous / Unsorted