Software supply chain security detection techniques must cover the software delivery life cycle, including software design, building, testing, and operation. There are mainly five types of security detection techniques, namely software composition analysis (SCA), static application security testing (SAST), dynamic application security testing (DAST), interactive application security testing (IAST), and FUZZ testing. Each of these […]

Key Technologies for Software Supply Chain Security—Techniques for Generating and Using the List of Software Compositions (Part 1) Analysis Tools of List of Software Compositions According to the classification by the LINUX Foundation [1], SBOM tools are grouped into three categories, namely, to produce, consume and transform. Each category has three functions. For the producing […]

The list of software compositions and the software bill of materials (SBOM) are different in the requirements for the granularity of the “minimum elements” of the software, without a substantial difference in technical ideas and implementation steps. Considering the relatively mature SBOM generation tools and techniques, this document focuses on various key SBOM techniques and […]

The three concepts, transparency of software supply chain, assessable capabilities of software supply chain security, and trusted software supply chain, are closely related to the ability of end users to conduct security checks and assessments for the software supply chain, including: 1. Basic assessment of software composition security Upstream and downstream companies can provide end […]

A crop of multi-level upstream and downstream security problems makes software supply chain (SSC) security more complex.  It is difficult to assess and control the security of the whole chain only depending on companies, but it is necessary to strengthen the security supervision of the supply chain products, provide companies SBOM hosting and trusted certification […]