supply chain security;

Key Technologies for Software Supply Chain Security – Detection Techniques (Part 1) – Software Composition Analysis

março 6, 2023

Software supply chain security detection techniques must cover the software delivery life cycle, including software design, building, testing, and operation. There are mainly five types of security detection techniques, namely software composition analysis (SCA), static application security testing (SAST), dynamic application security testing (DAST), interactive application security testing (IAST), and FUZZ testing. Each of these […]

Key Technologies for Software Supply Chain Security—Techniques for Generating and Using the List of Software Compositions (Part 2)

fevereiro 17, 2023

Key Technologies for Software Supply Chain Security—Techniques for Generating and Using the List of Software Compositions (Part 1) Analysis Tools of List of Software Compositions According to the classification by the LINUX Foundation [1], SBOM tools are grouped into three categories, namely, to produce, consume and transform. Each category has three functions. For the producing […]

Key Technologies for Software Supply Chain Security—Techniques for Generating and Using the List of Software Compositions (Part 1)

fevereiro 13, 2023

The list of software compositions and the software bill of materials (SBOM) are different in the requirements for the granularity of the “minimum elements” of the software, without a substantial difference in technical ideas and implementation steps. Considering the relatively mature SBOM generation tools and techniques, this document focuses on various key SBOM techniques and […]

Relationship Between Security Concept and Security Assessment for Software Supply Chain

janeiro 5, 2023

The three concepts, transparency of software supply chain, assessable capabilities of software supply chain security, and trusted software supply chain, are closely related to the ability of end users to conduct security checks and assessments for the software supply chain, including: 1. Basic assessment of software composition security Upstream and downstream companies can provide end […]

Security Concept for Software Supply Chain (Part 3) – Building Trusted Software Supply Chain

dezembro 28, 2022

A crop of multi-level upstream and downstream security problems makes software supply chain (SSC) security more complex.  It is difficult to assess and control the security of the whole chain only depending on companies, but it is necessary to strengthen the security supervision of the supply chain products, provide companies SBOM hosting and trusted certification […]

Security Concept for Software Supply Chain (Part 1) — Transparency of Software Supply Chain Compositions

dezembro 2, 2022

Software supply chain security covers the whole software life cycle. In terms of software product complexity alone, apart from the software itself, it is necessary to ensure the security of the dependencies and transitive dependencies of software, as well as the security of the software ecosystem composed of these dependency chains. Especially regarding the issue […]

The Increasingly Complex and Varied Vectors to Attack Software Supply Chain

novembro 23, 2022

Unlike vulnerability exploitation in products, attack vectors and implementation channels targeting the supply chain in the real environment are more diverse. Due to the advantages of low development cost, the widespread use of open-source components in projects has become the mainstream development method. The conflict between a rule-relaxed open community and limited maintenance resources provides […]

Software Supply Chain Security: Overview

outubro 21, 2022

Software supply chain security is one of the key considerations in modern supply chain security. NSFOCUS Security Labs has conducted long-term research on security of the software supply chain. We’d like to publish a series of posts to share our observations, explore security issues existing in the software supply chain, conclude the core concepts, technical […]


Inscreva-se no Blog da NSFOCUS