A Year of Innovations and Insights in Software Supply Chain Security

It's been a year since an update was merged into awesome-software-supply-chain-security but I've been learning from various new publications, tools and research. In this article, I share my recommended reading list, and relevant developments that might help you make sense of this domain.?

When I first compiled the repo in early 2022, I grouped hundreds of links under a few headers standing for the interests or jobs to be done that I saw emerging in the Software Supply Chain Security (SSCS) domain from my observations lurking in CNCF, OpenSSF and Microsoft's own SSCS community of practice.?

At that time, a sizeable chunk of the literature in the SSCS domain came from industry and government policy and guidance, a handful of academic and quasi-academic works, open source project documentation, and attack retrospectives.

In a pinch, I put together an imperfect taxonomy and quickly realized what Marcela Melara and Santiago Torres Arias meant in A Viewpoint on Software Supply Chain Security: Are We Getting Lost in Translation? (November 2023) when they posited that nebulous terminology is making it hard to secure software development processes.?

First, on definitions: when it comes to what belongs in the software supply chain scope, I'm seeing more voices take a maximalist approach - it's everything: people, bits, organizations, atoms, contracts, processes, conventions, and more.?

This is not inherently good or bad but might make defining what an attack is a bit harder, because how open-endedly you define attacks determines whether you end up with an intractable volume of apples and oranges.

Today as in the past, we recur to pattern recognition (it's an attack if it looks like one of the earlier ones) but the continued work?of DFRLab in?Software Supply Chain Security: The Dataset (September 2023 update) and Piergiorgio Ladisa et al. in SoK: Taxonomy of Attacks on Open-Source Software Supply Chains (youtube.com) (June 2023) are veritable compasses in this front.?

Today, more publications than ever coincide that SSCS attacks feature common attributes such as being multi-staged (ENISA, NIST), and abusing implicit trust. Maybe this sounds obvious or uncontroversial, yet leaders should use these attributes and inventories as tools to become more specific about the jobs to be done in their programs.?

But when it comes to SSCS, what are those jobs to be done??

One of the questions everyone had back then (and maybe today) was: "how is supply chain security different from any existing discipline or job-to-be-done in software security": supplier risk management, application security testing, vulnerability management, build integrity, threat modeling, software composition analysis...?

In the repo, I ended up drawing an imperfect affinity between certain practices, like SCA and SBOM with dependency intelligence, or vulnerability scanning with runtime policies and integrity verification. OSC&R (February 2023) was one of the first SSCS superset lens I came across, and this superset approach is exemplified in Tyler Jewell 's excellent Developer-Led Landscape: Software Supply Chain Security (July 2023)?

On the inductive side of things, we continue to derive the jobs to be done from controls in policy, or reference architectures from industry guidance, including the ESF's SSC Working Group Recommended Practices series (November 2023, full list at the bottom of the press release), Microsoft's DevOps Threat Matrix (April 2023), of which I'm a contributor to yet this article represents my views only, and the OpenSSF's Best Practice Guides, particularly Source Code Management Platform Configuration Best Practices (August 2023)?

In Elements of an Effective Software Supply Chain Strategy (February 2023), Synopsys' Anita D'Amico, PhD and Tim Mackey put together one of the most approachable frameworks for mainstream audiences. And if you're looking to start from a comprehensive review of frameworks and standards, Cassie Crossley 's Software Supply Chain Security (O'Reilly, February 2024) offers an updated, systematic and approachable analysis of global policies, standards and guidance that progresses to program elements covering people, suppliers, infrastructure, cloud, data, software transparency, and software development lifecycle.?

Role of metadata

It's still common to see the SSCS and SBOM topics bundled together. Some people think this does more harm than good, others are indifferent, but over the last year there’s undeniably no shortage of quality-centered tools and benchmarks, and research highlighting nuances and shortcomings of SBOM practices?(such as Musard Balliu et al.'s Challenges of Producing Software Bill of Materials for Java, November 2023)?

I think we're breaking through the skepticism, perhaps disillusionment, of the last few years. I was never too concerned about the standards themselves, and more about the contract between the producer (a software publisher) and the consumer. I believe SBOM consumption patterns dictate the SBOM semantics and provide a blueprint for producers.?

There's no one specific release of any one specific tool that is shifting the SBOM discourse today, but the issues, PR and discussion activity in open source projects is becoming a public record of the voice of the consumer that is trying to make sense of SBOMs. When tools implement techniques such as binary detection or darkfile inventories, it's a hint about what users would like to see, irrespective of format. ?

Here are three recent resources from various sources that help organizations with SBOM clarity in progressive levels of detail:?

1. CISA's Types of Software Bill of Materials (April 2023) formalizes the concept of various kinds of SBOMs adapted to lifecycle stages?
2. CMU SEI's Software Bill of Materials Framework (April 2023) provides a helpful framework with 44 practice questions that help programs set expectations?
3. OWASP's Authoritative Guide to SBOM (June 2023) provides unparalleled, rich, yet accessible detail on use cases, lifecycles, and integration scenarios. This is a core SSCS read that transcends SBOM and is still valuable even for people that are not interested in CycloneDX.?

Part of the question of how will security artifacts and metadata be consumed involves how they are distributed and retrieved. The building blocks for this have existed for a while (think Gatekeeper, Ratify, Sigstore, and some commercial services) and continue to mature, including GUAC (v0.1 in May 2023), but most of those building blocks are put together in support of bespoke processes.?

As a result, most of the conventions between metadata (including SBOM) producers and consumers are implicit and ecosystem dependent. What I’m looking forward to is a discussion of trust beyond identities, to include processes and conventions represented declaratively to make metadata expectations explicit. In the meantime, data aggregators will fill this gap by trying to codify the available metadata into a lowest common denominator such as a risk score, which can lead to information silos.

Integrating the practices

One gem referenced in the OWASP guide is DJ Schleen 's SBOM Process reference architecture. This work of high integrative value visually presents jobs-to-be-done, lifecycle stages, and integrations with various open source tools. It is one of a handful of non-linear representations of the SSCS problem space, something I highly welcome since thinking about the problem linearly can be limiting for many organizations.?

In Securing the Software Supply Chain (Manning, August 2023), Michael Lieberman and Brandon Lum expand on the foundational Secure Software Factory work from the CNCF tradition by taking a deep look into security applied to the software development lifecycle and provide unprecedented level of detail to help security leaders implement various SSCS practices in their organizations.?

If you are focused on SSCS from the “developers, and the software they produce” angle and are looking for a book, Lieberman and Lum’s is a leading choice at the time of this writing. But with Threat Modeling the Supply Chain for Software Consumers (September 2023), the OpenSSF has put together an outstanding reference document that highlights the distinct trust boundaries of consumption of 3P components, and developer endpoints.?

I'd be remiss not to mention Chris H. and Tony Turner 's OG: Software Transparency: Supply Chain Security in an Era of a Software-Driven Society (Wiley, May 2023), an invaluable sensemaking resource for security and IT leaders. In late 2022, I found myself having to brief a group of security product and engineering leaders with a novel framework to think about SSCS. Had “Software Transparency” been available then, I would have just recommended it as a pre-read instead!

Technical innovations

There have been too many exciting technical innovations to talk about since I last updated awesome-software-supply-chain-security. Knowing I won't do them full justice, here are six developments that I found particularly representative, in no particular order:?

1. BuildKit's v0.11 release (January 2023) lowered the bar for creating SBOM and provenance metadata for container builds. Containers were already a popular workload for reasoning about SSCS solutions because: 1) the registry that holds the artifact can hold the metadata, and 2) it's relatively easier to make build and deploy agree on a contract. Just like with the increase in usage of tools like Scorecards, while not a solution for the entire domain, BuildKit’s capabilities significantly changed the economics for producing metadata for many maintainers.?
2. gittuf (July 2023)?implements various features and concepts from TUF to git, but I like to imagine it (as an imperfect analogy) as “git meets SELinux”. The ci-demo policy illustrates what the gittuf verify-ref main command would be looking to enforce.?
3. Macaron (March 2023) codifies various checks mapped to SLSA v0.1 and automates the process of getting metadata as inputs to those checks. This is a great example of what can be put together with the building blocks that have emerged in the SSCS domain over the last ~3 years. This tutorial helps understand that from the lens of Maven ecosystem best practices/contracts.?
4. Chalk (May 2023) takes a different approach from most of the available tooling in that it semantically embeds the metadata in the artifact itself during build, which also means it has applications beyond SSCS.?
5. Chainloop (March 2023) allows you to declare the output materials you expect from a workflow in a policy, then enforce that in CI so that materials are ingested to a content-addressed storage and fanned-out to the rest of your process.?
6. Minder (November 2023) simplifies and automates governance for repository posture, for the things that must happen in a process (e.g., running certain tools), and for dependencies. Knowing that it's early days, I like to think of it as an active control loop counterpart to tools like OpenSSF Scorecard.?

Ecosystem security

Some of you might be wondering if the end user, the leaf node in this whole thing, is the one that is supposed to always be burdened with the heavy load of tracking down a binary artifact to its corresponding commit hash in a public repository, analyzing the posture of the repository and the specifics of the commit and the workflows involved in producing the artifact, then vetting the contribution itself by inspecting the pull request and keeping tabs on the actor's pedigree.?

There are numerous efforts happening centrally that are providing air cover and contributing to mitigating risks for everyone. Several repositories and their ecosystems have been working on initiatives ranging from new security requirements for publishers to working with researchers on continuous scanning and fuzzing or lowering the bar for adding provenance attestations to published packages.?

I’m not that good keeping track of everything out there, but if you're interested, Alpha-Omega's posts, Seth Larson's complete set of blog posts including the CPython SBOM proposal, Russ Cox's ACM SCORED presentation focusing on Go supply chain security, all the monthly reports from Reproducible Builds, and the quarterly or yearly reports of Endor Labs, Checkmarx or Phylum are all useful reads.?

And I can't fit all the things I'd like to talk about! For example, as part of building a CNAPP I spend a lot of time on application security testing, vulnerability management, SDLC posture, and more. We can talk about OSV, or about cdxgen, or a dozen other OSS tools. There are many SSCS commercial developments, not always OSS-adjacent, and undoubtedly more great papers and interesting research I simply don’t know about yet. In some cases, such as the latest NSA Recommendations for SBOM Management (January 2024), I haven't found the time to review yet.

The abridged version

Today, there are many ways to keep tabs on what's new in SSCS, from newsletters and podcasts to vendor blogs, project release notes and discussions deep on Slack, Discord, or the comments in a document somewhere. Unsurprisingly, there are at least 3 other SSCS awesome- and reading lists published, with more analysts and other great folks in the industry communicating all about it.

Instead of trying to keep up with all of that, my goal with this article is to present what I consider the must-reads (including the books and guides that we all wish existed just 2 years ago!) and the developments that indicate larger trends worth keeping an eye on, hoping that helps others navigate the software supply chain security domain, and eager to learn your perspective, too.?

While I truly believe the links in this article constitute a whole learning set, I realize it's still a lot. So if you're looking to bootstrap your understanding of the space, you might consider starting with the following five resources mentioned in this article:

1. Elements of an Effective Software Supply Chain Strategy
2. Threat Modeling the Supply Chain for Software Consumers - Open Source Security Foundation (openssf.org)
3. One of the great books on this topic, such as Securing the Software Supply Chain (manning.com), Software Supply Chain Security [Book] (oreilly.com) or Software Transparency: Supply Chain Security in an Era of a Software-Driven Society | Wiley
4. Authoritative Guide to SBOM (cyclonedx.org)
5. The "Recommended Practices" series in NSA and ESF Partners Release Recommended Practices for Managing Open Source Software and Software Bill of Materials