Key Technologies for Software Supply Chain Security – Detection Techniques (Part 1) – Software Composition Analysis

março 6, 2023
Software supply chain security detection techniques must cover the software delivery life cycle, including software design, building, testing, and operation. There are mainly five types of security detection techniques, namely software composition analysis (SCA), static application security testing (SAST), dynamic application security testing (DAST), interactive application security testing (IAST), and FUZZ testing. Each of these […]
Key Technologies for Software Supply Chain Security—Techniques for Generating and Using the List of Software Compositions (Part 2)

fevereiro 17, 2023
Key Technologies for Software Supply Chain Security—Techniques for Generating and Using the List of Software Compositions (Part 1) Analysis Tools of List of Software Compositions According to the classification by the LINUX Foundation [1], SBOM tools are grouped into three categories, namely, to produce, consume and transform. Each category has three functions. For the producing […]
Key Technologies for Software Supply Chain Security—Techniques for Generating and Using the List of Software Compositions (Part 1)

fevereiro 13, 2023
The list of software compositions and the software bill of materials (SBOM) are different in the requirements for the granularity of the “minimum elements” of the software, without a substantial difference in technical ideas and implementation steps. Considering the relatively mature SBOM generation tools and techniques, this document focuses on various key SBOM techniques and […]
Technical Framework of Software Supply Chain Security

janeiro 31, 2023
NSFOCUS Security Labs is keeping an eye out for the trends in supply chain security and is pleased to share observations and thoughts with our blog readers. You will see the links for more posts we published about software supply chain security at the end of the article. In this post, we are going to […]
Relationship Between Security Concept and Security Assessment for Software Supply Chain

janeiro 5, 2023
The three concepts, transparency of software supply chain, assessable capabilities of software supply chain security, and trusted software supply chain, are closely related to the ability of end users to conduct security checks and assessments for the software supply chain, including: 1. Basic assessment of software composition security Upstream and downstream companies can provide end […]
Security Concept for Software Supply Chain (Part 3) – Building Trusted Software Supply Chain

dezembro 28, 2022
A crop of multi-level upstream and downstream security problems makes software supply chain (SSC) security more complex. It is difficult to assess and control the security of the whole chain only depending on companies, but it is necessary to strengthen the security supervision of the supply chain products, provide companies SBOM hosting and trusted certification […]
The Increasing Trend of Software Supply Chain Attacks

novembro 8, 2022
Compared with traditional security threats, supply chain threats have a spreading influence. Vulnerabilities of upstream products will affect all downstream roles, causing security risks to spread along the supply chain and consequently expanding the attack area. In recent years, several influential supply chain attacks have taken place, involving open-source components, public code repositories, and cloud […]
Threats against Software Supply Chain Security

novembro 1, 2022
In the last post of this series, we had an overview of software supply chain security and summarized some observations during the research. You can read the previous post here. In this post, we’re going to talk about the threats faced by the software supply chain. Globalized economic development has brought more opportunities and […]