Software Transparency by Chris Hughes;Tony Turner;Steve Springett; & Tony Turner
Author:Chris Hughes;Tony Turner;Steve Springett; & Tony Turner [Hughes, Chris & Turner, Tony]
Language: eng
Format: epub
ISBN: 9781394158492
Publisher: John Wiley & Sons, Inc. (trade)
Published: 2023-06-07T00:00:00+00:00
Dependencies
The CIS guide recognizes the fundamental role dependencies play in the software supply chain. There is an emphasis on the reality that dependencies generally come from third-party sources such as Log4j and can cause massive damage when exploited. In fact, studies such as those from Sonatype and EndorLabs show that six out of seven vulnerabilities come from transitive dependencies.
Third-party packages require proper governance and use, including efforts to establish trust and manage their use appropriately. Third-party packages impact not just your software but downstream consumers of your software as well, as was evident with Log4j and its associated flurry of notifications from vendors whose software was impacted. Security controls here include verifying third-party artifacts and open source libraries, requiring SBOMs from third-party suppliers, and requiring/verifying signed metadata of the build process. These steps help mitigate the risk of using malicious or high-risk third-party components, leading to an understanding of what is inside the software of a supplier/vendor and ensuring that artifacts haven't been compromised during the build process.
The guide calls for validating packages to understand how and if to use them at all, and it includes a combination of policy and technical controls such as establishing organization-wide guidance for dependency use, scanning packages for known vulnerabilities, and maintaining awareness of ownership changes. These controls help govern the use of packages while also ensuring that existing packages aren't vulnerable and keeping track of ownership implications that can lead to malicious activity by new owners.
Download
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.
Cryptography | Encryption |
Hacking | Network Security |
Privacy & Online Safety | Security Certifications |
Viruses |
Effective Threat Investigation for SOC Analysts by Yahia Mostafa;(3874)
Machine Learning Security Principles by John Paul Mueller(3609)
Practical Memory Forensics by Svetlana Ostrovskaya & Oleg Skulkin(3599)
Operationalizing Threat Intelligence by Kyle Wilhoit & Joseph Opacki(3281)
Attacking and Exploiting Modern Web Applications by Simone Onofri & Donato Onofri(3259)
Mastering Azure Security by Mustafa Toroman and Tom Janetscheck(3103)
Future Crimes by Marc Goodman(3099)
Mastering Python for Networking and Security by José Manuel Ortega(3093)
Blockchain Basics by Daniel Drescher(3005)
Mobile App Reverse Engineering by Abhinav Mishra(2684)
Operationalizing Threat Intelligence by Joseph Opacki Kyle Wilhoit(2645)
Mastering Bitcoin: Programming the Open Blockchain by Andreas M. Antonopoulos(2616)
Solidity Programming Essentials by Ritesh Modi(2606)
From CIA to APT: An Introduction to Cyber Security by Edward G. Amoroso & Matthew E. Amoroso(2566)
The Art Of Deception by Kevin Mitnick(2391)
The Code Book by Simon Singh(2370)
Microsoft 365 Security, Compliance, and Identity Administration by Peter Rising(2249)
Incident Response with Threat Intelligence by Roberto MartÃnez(2161)
Hands-On AWS Penetration Testing with Kali Linux by Benjamin Caudill & Karl Gilbert(1990)