Cassie Crossley - Software Supply Chain Security (First Early Release)
Here you can read online Cassie Crossley - Software Supply Chain Security (First Early Release) full text of the book (entire story) in english for free. Download pdf and epub, get meaning, cover and reviews about this ebook. year: 2023, publisher: OReilly Media, Inc., genre: Computer / Science. Description of the work, (preface) as well as reviews are available. Best literature library LitArk.com created for fans of good reading and offers a wide selection of genres:
Romance novel
Science fiction
Adventure
Detective
Science
History
Home and family
Prose
Art
Politics
Computer
Non-fiction
Religion
Business
Children
Humor
Choose a favorite category and find really read worthwhile books. Enjoy immersion in the world of imagination, feel the emotions of the characters or learn something new for yourself, make an fascinating discovery.
- Book:Software Supply Chain Security (First Early Release)
- Author:
- Publisher:OReilly Media, Inc.
- Genre:
- Year:2023
- Rating:3 / 5
- Favourites:Add to favourites
- Your mark:
Software Supply Chain Security (First Early Release): summary, description and annotation
We offer to read an annotation, description, summary or preface (depends on what the author of the book "Software Supply Chain Security (First Early Release)" wrote himself). If you haven't found the necessary information about the book — write in the comments, we will try to find it.
Cassie Crossley: author's other books
Who wrote Software Supply Chain Security (First Early Release)? Find out the surname, the name of the author of the book and a list of all author's works by series.
Software Supply Chain Security (First Early Release) — read online for free the complete book (whole text) full work
Below is the text of the book, divided by pages. System saving the place of the last page read, allows you to conveniently read the book "Software Supply Chain Security (First Early Release)" online for free, without having to search again every time where you left off. Put a bookmark, and you can go to the page where you finished reading at any time.
Font size:
Interval:
Bookmark:
by Cassie Crossley
Copyright 2024 Cassaundra Crossley. All rights reserved.
Printed in the United States of America.
Published by OReilly Media, Inc. , 1005 Gravenstein Highway North, Sebastopol, CA 95472.
OReilly books may be purchased for educational, business, or sales promotional use. Online editions are also available for most titles (http://oreilly.com). For more information, contact our corporate/institutional sales department: 800-998-9938 or corporate@oreilly.com.
- Acquisitions Editor: Jennifer Pollock
- Development Editor: Rita Fernando
- Production Editor: Elizabeth Faerm
- Copyeditor: To come
- Proofreader: To come
- Indexer: To come
- Interior Designer: Monica Kamsvaag
- Cover Designer: Karen Montgomery
- Illustrator: Kate Dullea
- January 2024: First Edition
- 2023-03-02: First Release
See http://oreilly.com/catalog/errata.csp?isbn=9781098133702 for release details.
The OReilly logo is a registered trademark of OReilly Media, Inc. Software Supply Chain Security, the cover image, and related trade dress are trademarks of OReilly Media, Inc.
The views expressed in this work are those of the author and do not represent the publishers views. While the publisher and the author have used good faith efforts to ensure that the information and instructions contained in this work are accurate, the publisher and the author disclaim all responsibility for errors or omissions, including without limitation responsibility for damages resulting from the use of or reliance on this work. Use of the information and instructions contained in this work is at your own risk. If any code samples or other technology this work contains or describes is subject to open source licenses or the intellectual property rights of others, it is your responsibility to ensure that your use thereof complies with such licenses and/or rights.
978-1-098-13370-2
[LSI]
With Early Release ebooks, you get books in their earliest formthe authors raw and unedited content as they writeso you can take advantage of these technologies long before the official release of these titles.
This will be the 3rd chapter of the final book.
If you have comments about how we might improve the content and/or examples in this book, or if you notice missing material within this chapter, please reach out to the editor at rfernando@oreilly.com.
A secure development lifecycle (SDL) consists of activities that strengthen an application or products security posture during the software development lifecycle (SDLC). This can also be known as a secure software development lifecycle (SSDL, SSDLC, S-SDLC) or Secure Software Development Framework (SSDF). However you call it, its main goal is to augment an SDLC such as waterfall, Agile (e.g., Scrum, XP, or Kanban), hybrid, or iterative (combined waterfall and Agile methodologies). Your organization may already have SDL processes within its existing SDLC or DevOps processes, even if they arent called as such.
This chapter will discuss the details of SDLs, augmenting SDLCs, and the more popular SDLs you can use in your organization. SDLs are now a required element in many cybersecurity legal agreements and certifications. The decision of which SDL to use is specific to your organization. Once your organization has selected an SDL, document the selection and appropriate details in a corporate SDL policy.
Control SDL-01: Maintain a Secure Development Lifecycle (SDL) framework and policy which requires employees, contractors, and third parties to follow SDL practices for applications and products.
An SDL is the foundation for a secure software supply chain. There are four key elements of an SDL that exist across the various SDL frameworks: security requirements, secure design, secure development, and security testing. Although you can reduce risk by implementing various aspects of an SDL, such as secure testing, without an SDL, you may still find yourself at a disadvantage. An SDL will help you implement a secure software supply chain with secure requirements, design, and development in a reproducible process.
Security requirements may be defined in laws, regulations, and SDL frameworks, or by customers, internal requirements, and threat models. for cryptographic modules. At some point, all of these security requirements should be documented in a requirements or user stories database. Traceability between these requirements, the threat models, and secure test cases are important for validating the requirements prior to a product or application release.
For some software supply chain security risks, you can transform the security control into a security requirement. One such example would be the Infrastructure Security Control IS-08 for patching as seen in Chapter 4, Infrastructure Security in the Product Lifecycle. An application security requirement or user story specifically to auto-update software would resolve part of the IS-08 security control.
Control SDL-02: Document and maintain security requirements for applications and products. Include security requirements that are required by applicable laws and regulations.
The concept of secure design (or secure-by-design) is not only about architecture and infrastructure, but also about the security requirements implemented into the system. Within a product or application, secure design is when a product has gone through activities to evaluate the requirements and potential threats to limit risk. Risk to software supply chain security is greatly reduced when secure design activities such as threat modeling are performed. Even products that have been previously designed will benefit greatly from a complete threat model that analyzes entry points, code, services, protocols, APIs, and more. Threat models should be considered living artifacts that you must re-examine when architecture changes. When risks are identified through threat models, additional security requirements must be added to the product.
Another type of secure design is privacy by design (sometimes called PbD).This includes data security, data protection, and data localization requirements for personal or business data. Considering PbD early in the design process can significantly reduce rearchitecting databases, structures, and common methods such as encryption to meet changing privacy requirements.
Control SDL-03: Use secure-by-design and privacy-by-design concepts when designing applications and products. Conduct threat modeling on all code, services, systems, infrastructure, APIs, and protocols.
Secure development is one of the four key elements of an SDL. Secure development involves the methods, techniques, and practices developers should follow and use during code development. This includes important areas such as proper error handling, fault handling, memory management, and following secure coding standards. Secure coding standards always should include evaluation for back doors or private keys. Secure coding rules must be specific for the technology and languages your organization uses but if your organization does not have secure coding standards in place, refer to the OWASP Secure Coding Practices-Quick Reference Guide to use as a baseline for your organization.
Font size:
Interval:
Bookmark:
Similar books «Software Supply Chain Security (First Early Release)»
Look at similar books to Software Supply Chain Security (First Early Release). We have selected literature similar in name and meaning in the hope of providing readers with more options to find new, interesting, not yet read works.
Discussion, reviews of the book Software Supply Chain Security (First Early Release) and just readers' own opinions. Leave your comments, write what you think about the work, its meaning or the main characters. Specify what exactly you liked and what you didn't like, and why you think so.