Software Transparency by Chris Hughes;Tony Turner;Steve Springett; & Tony Turner
Author:Chris Hughes;Tony Turner;Steve Springett; & Tony Turner [Hughes, Chris & Turner, Tony]
Language: eng
Format: epub
ISBN: 9781394158492
Publisher: John Wiley & Sons, Inc. (trade)
Published: 2023-06-07T00:00:00+00:00
Dependencies
The CIS guide recognizes the fundamental role dependencies play in the software supply chain. There is an emphasis on the reality that dependencies generally come from third-party sources such as Log4j and can cause massive damage when exploited. In fact, studies such as those from Sonatype and EndorLabs show that six out of seven vulnerabilities come from transitive dependencies.
Third-party packages require proper governance and use, including efforts to establish trust and manage their use appropriately. Third-party packages impact not just your software but downstream consumers of your software as well, as was evident with Log4j and its associated flurry of notifications from vendors whose software was impacted. Security controls here include verifying third-party artifacts and open source libraries, requiring SBOMs from third-party suppliers, and requiring/verifying signed metadata of the build process. These steps help mitigate the risk of using malicious or high-risk third-party components, leading to an understanding of what is inside the software of a supplier/vendor and ensuring that artifacts haven't been compromised during the build process.
The guide calls for validating packages to understand how and if to use them at all, and it includes a combination of policy and technical controls such as establishing organization-wide guidance for dependency use, scanning packages for known vulnerabilities, and maintaining awareness of ownership changes. These controls help govern the use of packages while also ensuring that existing packages aren't vulnerable and keeping track of ownership implications that can lead to malicious activity by new owners.
Download
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.
Cryptography | Encryption |
Hacking | Network Security |
Privacy & Online Safety | Security Certifications |
Viruses |
Future Crimes by Marc Goodman(3012)
Mastering Python for Networking and Security by José Manuel Ortega(2979)
Blockchain Basics by Daniel Drescher(2906)
Practical Threat Detection Engineering by Megan Roddie & Jason Deyalsingh & Gary J. Katz(2656)
Mastering Bitcoin: Programming the Open Blockchain by Andreas M. Antonopoulos(2528)
Effective Threat Investigation for SOC Analysts by Yahia Mostafa;(2497)
From CIA to APT: An Introduction to Cyber Security by Edward G. Amoroso & Matthew E. Amoroso(2493)
The Art Of Deception by Kevin Mitnick(2311)
Machine Learning Security Principles by John Paul Mueller(2233)
The Code Book by Simon Singh(2228)
Practical Memory Forensics by Svetlana Ostrovskaya & Oleg Skulkin(2211)
Solidity Programming Essentials by Ritesh Modi(1930)
Operationalizing Threat Intelligence by Kyle Wilhoit & Joseph Opacki(1896)
Hands-On AWS Penetration Testing with Kali Linux by Benjamin Caudill & Karl Gilbert(1887)
Attacking and Exploiting Modern Web Applications by Simone Onofri & Donato Onofri(1883)
Wireless Hacking 101 by Karina Astudillo(1859)
DarkMarket by Misha Glenny(1852)
Applied Network Security by Arthur Salmon & Michael McLafferty & Warun Levesque(1845)
Mobile Forensics Cookbook by Igor Mikhaylov(1820)