Software Supply Chain Security Practice
Jump to navigation
Jump to search
A Software Supply Chain Security Practice is a risk-based software security development lifecycle practice that can support software supply chain security tasks.
- AKA: Third-Party Component Security Practice, Software Dependency Management Practice, Supply Chain Risk Management Practice.
- Context:
- It can typically identify Vulnerable Software Components through software supply chain security scanning.
- It can typically track Software Bill of Materials (SBOM)s through software supply chain security inventory management.
- It can typically verify Component Integritys through software supply chain security cryptographic verification.
- It can typically assess License Compliance Risks through software supply chain security license analysis.
- It can typically monitor Dependency Updates through software supply chain security continuous monitoring.
- ...
- It can often detect Malicious Package Injections through software supply chain security threat detection.
- It can often enforce Approved Component Lists through software supply chain security policy enforcement.
- It can often validate Build Pipeline Securitys through software supply chain security attestation.
- It can often require Vendor Security Assessments for software supply chain security due diligence.
- ...
- It can range from being a Manual Software Supply Chain Security Practice to being an Automated Software Supply Chain Security Practice, depending on its software supply chain security automation level.
- It can range from being a Reactive Software Supply Chain Security Practice to being a Proactive Software Supply Chain Security Practice, depending on its software supply chain security threat anticipation.
- It can range from being a Basic Software Supply Chain Security Practice to being a Comprehensive Software Supply Chain Security Practice, depending on its software supply chain security coverage scope.
- It can range from being a Periodic Software Supply Chain Security Practice to being a Continuous Software Supply Chain Security Practice, depending on its software supply chain security monitoring frequency.
- It can range from being a Shallow Software Supply Chain Security Practice to being a Deep Software Supply Chain Security Practice, depending on its software supply chain security dependency analysis depth.
- ...
- It can integrate with CI/CD Pipelines for software supply chain security build integration.
- It can connect to Vulnerability Databases for software supply chain security threat intelligence.
- It can interface with Container Registrys for software supply chain security image scanning.
- It can communicate with Package Repositorys for software supply chain security component verification.
- It can synchronize with Security Orchestration Platforms for software supply chain security incident response.
- ...
- Example(s):
- Component Analysis Software Supply Chain Security Practices, such as:
- Software Composition Analysis (SCA) Practice, scanning for known vulnerabilities in dependencies.
- SBOM Generation Practice, creating comprehensive component inventories.
- Dependency Graph Analysis Practice, mapping transitive dependency relationships.
- Build Security Software Supply Chain Security Practices, such as:
- Reproducible Build Practice, ensuring deterministic build outputs.
- Build Attestation Practice, cryptographically signing build artifacts.
- Hermetic Build Practice, isolating builds from external influences.
- Runtime Software Supply Chain Security Practices, such as:
- Runtime Application Self-Protection (RASP) Practice, monitoring component behavior in production.
- Container Security Practice, scanning and monitoring containerized dependencies.
- Serverless Function Security Practice, validating function dependencies and layers.
- ...
- Component Analysis Software Supply Chain Security Practices, such as:
- Counter-Example(s):
- Code Review Practice, which examines custom code but not third-party components.
- Network Security Practice, which protects infrastructure but not software dependencies.
- Data Security Practice, which secures information but not component integrity.
- Physical Security Practice, which protects facilities but not software supply chains.
- See: Software Security Practice, DevSecOps Practice, Third-Party Risk Management, Software Bill of Materials, Vulnerability Management Practice, Zero Trust Supply Chain, Software Provenance, Container Security, Open Source Security, Build Security Practice, Dependency Management.