Software Supply Chain Security Securing the End-to-end Supply Chain for Software, Firmware, and Hardware (Cassie Crossley) (Z-Library)

📄 File Format: PDF

💾 File Size: 5.9 MB

📖 Read Online ⬇️ Download

Registered users can read the full content for free

Register as a Gaohf Library member to read the complete e-book online for free and enjoy a better reading experience.

📄 Page 1

Cassie Crossley Foreword by Emily Heath Software Supply Chain Security Securing the End-to-End Supply Chain for Software, Firmware, and Hardware C rossley Softw a re Sup p ly C ha in Security Softw a re Sup p ly C ha in Security

📄 Page 2

SECURIT Y “For any policy maker looking for sustainable solutions to securing our software, this book serves as a great desk reference to understand our software supply chains, the foundational standards upon which they are built, and the risks associated with them.” —Kemba Walden Former Acting National Cyber Director, The White House “Cassie is a known expert in software supply chain security, and this book provides clear, actionable guidance when the industry is rapidly evolving and in need of wisdom.” —Christine Gadsby Vice President, Product Security, Blackberry Software Supply Chain Security Twitter: @oreillymedia linkedin.com/company/oreilly-media youtube.com/oreillymedia Trillions of lines of code help us in our lives, companies, and organizations. But just a single software cybersecurity vulnerability can stop entire companies from doing business and cause billions of dollars in revenue loss and business recovery. Securing the creation and deployment of software, also known as software supply chain security, goes well beyond the software development process. This practical book gives you a comprehensive look at security risks and identifies the practical controls you need to incorporate into your end-to-end software supply chain. Author Cassie Crossley demonstrates how and why everyone involved in the supply chain must participate if your organization is to improve the security posture of its software, firmware, and hardware. With this book, you’ll learn how to: • Pinpoint the cybersecurity risks in each part of your organization’s software supply chain • Identify the roles that participate in the supply chain— including IT, development, operations, manufacturing, and procurement • Design initiatives and controls for each part of the supply chain using existing frameworks and references • Implement secure development lifecycle, source code security, software build management, and software transparency practices • Evaluate third-party risk in your supply chain Cassie Crossley is a cybersecurity technology executive in IT and product development with years of business and technical leadership experience. US $55.99 CAN $69.99 ISBN: 978-1-098-13370-2

📄 Page 3

Praise for Software Supply Chain Security Supply chain security is top of mind for all manufacturing companies; therefore, this book is definitely a reference for those who want to address this systematic risk. —Christophe Blassiau, Cybersecurity and Product Security SVP, Global CISO and CPSO, Schneider Electric Software touches everything: water, food, electricity, timely patient care. As society increasingly depends upon software, it increasingly depends upon those who produce it. Ready or not, transparency is coming. Where others have made excuses, Cassie has made progress advancing software trust and transparency, and now you can too. —Josh Corman, Father of SBOM and Founder of public safety initiative, I Am the Cavalry Cassie has been a pioneer in advocating for and advancing SBOM, particularly in critical infrastructure. This volume is a critical contribution that underscores the need for software transparency and highlights paths to implementation. —Allan Friedman, PhD in public policy, SBOM champion Cassie is a known expert in software supply chain security, and this book provides clear, actionable guidance when the industry is rapidly evolving and in need of wisdom. —Christine Gadsby, Vice President, Product Security, Blackberry In today’s generative AI world, every company is a software company and is impacted by the software supply chain security. This book is a game-changer. This is a must-read guide designed to enlighten CEOs and board members alike. —Nikhil Gupta, Founder and CEO, ArmorCode Inc.

📄 Page 4

Cassie has written a book that is comprehensive, detailed, technical, and easily readable. It is an excellent overview for beginners but very useful to cybersecurity pros on how the brave new world of software supply chains can be exploited—and defended. —Charles Hart, Senior Analyst, Hitachi America, Ltd. Cassie Crossley has been in the trenches of supply chain security and understands the real-world operational, legal, and financial challenges in a way that academics and bureaucrats don’t always grasp. —JC Herz, SVP Exiger Cyber Supply Chain Cassie brings a wealth of knowledge to this book, covering relevant attack vectors, emerging frameworks, vulnerability disclosures, products, open source, third-party suppliers and navigating the complex human element, all too often overlooked in software supply chain security. —Chris Hughes, President and Cofounder, Aquia; Cyber Innovation Fellow (CIF) at CISA; Coauthor of Software Transparency Cassie’s book is the most thorough, practical, organized, and actionable supply chain advice I’ve ever received. Via frameworks and detailed plans, this book lays out exactly what to do to ensure your entire product supply chain (physical or digital) is reliably secure. —Tanya Janca (SheHacksPurple), Head of Community and Education, Semgrep; Author of Alice and Bob Learn Application Security Securing software supply chains is complex and confusing. Cassie comprehensively addresses this with an experienced practitioner’s eye. This is a phenomenal resource for understanding the risks and how to address them. Technology and business leaders alike will benefit from this! —Kent Landfield, Chief Standards and Technology Policy Strategist, Trellix Software supply chain management requires more than an SBOM. Regulations, legislation, development models, and deployment decisions make the real world complex. Cassie does a fantastic job simplifying this complexity and providing actionable guidance to address your supply chain risks. —Tim Mackey, Head of Software Supply Chain Risk Strategy, Synopsys

📄 Page 5

Software Supply Chain Security delves deep into the critical role of software supply chain security, revealing the pivotal importance it plays in safeguarding organizations. The book is well organized, making it an effective reference tool. —Leda Muller, Chief Information and Privacy Officer, Stanford University, Residential and Dining Enterprises Authored by a pioneer who inspired me to create the first-ever solution to manage and share SBOMs, this book is a treasure of expertise for product security professionals. It’s destined to become a pivotal reference for software supply chain security. —Dmitry Raidman, Cofounder and CTO, Cybeats; Cofounder, Security Architecture Podcast During a time of ever-increasing threats to our systems, this book serves as a practical guide for any organization looking to include software supply chain security as part of their risk management program. —Grant Schneider, Former US Federal Chief Information Security Officer In the last few years, industry has woken up to the need for software transparency. This book does an excellent job of summarizing the current landscape and providing context for those trying to improve best practices for managing risk. —Kate Stewart, Vice President of Dependable Embedded Systems, The Linux Foundation Cassie offers a thorough and global perspective on supply chain security, expertly covering regulatory, risk frameworks, software, hardware, and more, distinguishing itself from other US-centric texts. I highly recommend this book to anyone looking to reduce unverified trust in their supply chains. —Tony Turner, Founder and CEO, Opswright; Coauthor of Software Transparency For any policy maker looking for sustainable solutions to securing our software, this book serves as a great desk reference to understand our software supply chains, the foundational standards upon which they are built, and the risks associated with them. —Kemba Walden, Former Acting National Cyber Director, The White House

📄 Page 6

Cassie Crossley Software Supply Chain Security Securing the End-to-End Supply Chain for Software, Firmware, and Hardware Boston Farnham Sebastopol TokyoBeijing

📄 Page 7

978-1-098-13370-2 [LSI] Software Supply Chain Security by Cassie Crossley Copyright © 2024 Cassaundra Crossley. All rights reserved. Printed in the United States of America. Published by O’Reilly Media, Inc., 1005 Gravenstein Highway North, Sebastopol, CA 95472. O’Reilly books may be purchased for educational, business, or sales promotional use. Online editions are also available for most titles (http://oreilly.com). For more information, contact our corporate/institutional sales department: 800-998-9938 or corporate@oreilly.com. Acquisitions Editor: Jennifer Pollock Development Editor: Rita Fernando Production Editor: Elizabeth Faerm Copyeditor: nSight, Inc. Proofreader: J.M. Olejarz Indexer: Ellen Troutman-Zaig Interior Designer: Monica Kamsvaag Cover Designer: Karen Montgomery Illustrator: Kate Dullea February 2024: First Edition Revision History for the First Edition 2024-02-02: First Release See http://oreilly.com/catalog/errata.csp?isbn=9781098133702 for release details. The O’Reilly logo is a registered trademark of O’Reilly Media, Inc. Software Supply Chain Security, the cover image, and related trade dress are trademarks of O’Reilly Media, Inc. The views expressed in this work are those of the author and do not represent the publisher’s views. While the publisher and the author have used good faith efforts to ensure that the information and instructions contained in this work are accurate, the publisher and the author disclaim all responsibility for errors or omissions, including without limitation responsibility for damages resulting from the use of or reliance on this work. Use of the information and instructions contained in this work is at your own risk. If any code samples or other technology this work contains or describes is subject to open source licenses or the intellectual property rights of others, it is your responsibility to ensure that your use thereof complies with such licenses and/or rights.

📄 Page 8

Table of Contents Foreword. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii Preface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii 1. Supply Chain Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Supply Chain Definitions 2 Software Supply Chain Security Impacts 3 Requirements, Laws, Regulations, and Directives 5 Summary 10 2. Supply Chain Frameworks and Standards. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Technology Risk Management Frameworks 16 NIST SP 800-37 Risk Management Framework (RMF) 16 ISO 31000:2018 Risk Management 18 Control Objectives for Information and Related Technologies (COBIT®) 2019 22 NIST Cybersecurity Framework (CSF) 24 Supply Chain Frameworks and Standards 26 NIST SP 800-161 Cybersecurity Supply Chain Risk Management for Systems and Organizations 26 UK Supplier Assurance Framework 31 MITRE System of Trust™ (SoT) Framework 32 ISO/IEC 20243-1:2023 Open Trusted Technology Provider Standard 33 SCS 9001 Supply Chain Security Standard 33 ISO 28000:2022 Security and Resilience 34 ISO/IEC 27036 Information Security for Supplier Relationships 34 vii

📄 Page 9

Framework and Standards Considerations Summary 35 Summary 35 3. Infrastructure Security in the Product Lifecycle. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Developer Environments 40 Code Repositories and Build Platforms 42 Development Tools 44 Labs and Test Environments 46 Preproduction and Production Environments 48 Software Distribution and Deployment Locations 48 Manufacturing and Supply Chain Environments 50 Customer Staging for Acceptance Tests 51 Service Systems and Tools 52 Summary 52 4. Secure Development Lifecycle. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 Key Elements of an SDL 56 Security Requirements 56 Secure Design 58 Secure Development 59 Security Testing 59 Vulnerability Management 60 Augmenting an SDLC with SDL 62 ISA/IEC 62443-4-1 Secure Development Lifecycle 62 NIST SSDF 64 Microsoft SDL 64 ISO/IEC 27034 Application Security 65 SAFECode 67 SDL Considerations for IoT, OT, and Embedded Systems 67 Product and Application Security Metrics 68 Summary 69 5. Source Code, Build, and Deployment Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 Source Code Types 73 Open Source 74 Commercial 76 Proprietary 76 Operating Systems and Frameworks 76 Low-Code/No-Code 77 Generative AI Source Code 77 viii | Table of Contents

📄 Page 10

Code Quality 78 Secure Coding Standards 78 Software Analysis Technologies 79 Code Reviews 80 Source Code Integrity 81 Change Management 82 Trusted Source Code 82 Trusted Dependencies 84 Build Management 85 Authentication and Authorization 85 Build Scripts and Automation 85 Repeatability and Reproducibility 86 Code Signing 86 Deployment Management 87 Summary 89 6. Cloud and DevSecOps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 Cloud Frameworks, Controls, and Assessments 95 ISO/IEC 27001 Information Security Management Systems 95 Cloud Security Alliance CCM and CAIQ 96 Cloud Security Alliance STAR Program 97 American Institute of CPAs SOC 2 98 US FedRAMP 98 Cloud Security Considerations and Requirements 99 DevSecOps 101 Change Management for Cloud 101 Secure Design and Development for Cloud Applications 103 API Security 104 Testing 105 Deploying Immutable Infrastructure and Applications 105 Securing Connections 106 Operating and Monitoring 107 Site Reliability Engineering 108 Summary 108 7. Intellectual Property and Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 Data Classification 112 People 113 Technology 114 Data Security 115 Table of Contents | ix

📄 Page 11

Loss of Code, Keys, and Secrets 117 Design Flaws 118 Configuration Errors 119 Application Programming Interfaces (APIs) 120 Vulnerabilities 121 Summary 121 8. Software Transparency. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 Software Transparency Use Cases 127 Software Bill of Materials (SBOM) 131 SBOM Formats 133 SBOM Elements 134 SBOM Limitations 135 Additional Bill of Materials (BOMs) 137 Vulnerability Disclosures 137 Additional Transparency Approaches 139 US CISA Secure Software Development Attestation Common Form 139 Supply Chain Integrity, Transparency, and Trust (SCITT) 140 Digital Bill of Materials and Sharing Mechanisms 140 Graph of Understanding Artifact Composition (GUAC) 142 In-Toto Attestation 143 Software Provenance 143 Practices and Technology 145 Summary 146 9. Suppliers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149 Cyber Assessments 151 Assessment Responses 152 Research 153 IT Security Including Environmental Security 153 Product/Application Security Organization 154 Product Security Processes and Secure Development Lifecycle 155 Training 156 Secure Development and Security Testing 156 Build Management, DevSecOps, and Release Management 157 Scanning, Vulnerability Management, Patching, and SLAs 157 Cloud Applications and Environments 158 Development Services 159 Manufacturing 159 Cyber Agreements, Contracts, and Addendums 160 x | Table of Contents

📄 Page 12

Ongoing Supplier Management 162 Monitoring 163 Supplier Reviews 163 Right to Audit and Assess 164 Summary 164 10. Manufacturing and Device Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167 Suppliers and Manufacturing Security 168 Equipment, Systems, and Network Security Configurations 170 Physical Security 172 Code, Software, and Firmware Integrity 172 Tests for Integrity 173 Counterfeits 174 Chain of Custody 175 Device Protection Measures 175 Firmware Public Key Infrastructure (PKI) 176 Hardware Root of Trust 176 Secure Boot 176 Secure Element 177 Device Authentication 177 Summary 177 11. People in the Software Supply Chain. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179 Cybersecurity Organizational Structures 180 Security Champions 181 Cybersecurity Awareness and Training 182 Development Team 183 Secure Development Lifecycle (SDL) 183 Source Code Management 184 DevSecOps and Cloud 185 Capture-the-Flag Events 185 Third-Party Suppliers 186 Manufacturing and Distribution 186 Customer Projects and Field Services 187 End Users 187 Summary 188 Appendix: Security Controls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191 Index. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199 Table of Contents | xi

📄 Page 13

(This page has no text content)

📄 Page 14

Foreword The way we work has changed significantly over recent years with the adoption of cloud technologies that drive business strategy, artificial intelligence that brings data to life in ways we never thought possible, and compute power at everyone’s fingertips that allows us to do more. This change has been made possible by the underlying ecosystem of technology that is embedded in every area of our lives. Every device, vehicle, hospital, school, office, and home is driven by technology. This technology has an inherent supply chain of software, hardware, and firmware components to make it work and connect to our daily lives. The supply chain is seamless to most, but not to those who are tasked with protecting it. It’s a magnificent evolution of technology that has changed how we live. It is there‐ fore no surprise that the way in which we design, develop, and operate these technol‐ ogies must also evolve. That comes with great responsibility to ensure we keep our technology safe and secure from cyberattacks that could cause anything from data exposure to operational failure to revenue impacts to loss of life. As with any revolution, the pendulum can sometimes swing too far one way before normalizing over time. The inflection point between innovation and regulation, pull‐ ing from opposite ends of the spectrum, is a balance we must get right. The supply chain evolution has seen changes in many laws and regulations over the years, rang‐ ing from federal regulations to international laws that govern the software develop‐ ment lifecycle. These kinds of laws are important, yet they cannot hinder our ability to innovate and operate. xiii

📄 Page 15

We must apply them with a practical lens. As with most aspects of security, there are many frameworks designed to ensure controls are in place to protect us from the array of threats we face. Those developed for software development lifecycles give great guidance to a subject that is often misunderstood. Building them into day-to- day practices and leveraging them as an enabler, rather than a hindrance, is very important to the continuity of business. Before I went into technology, I was a fraud detective in England for many years. As a young recruit, I remember one of my police trainers telling me to “never forget we are all in the people business.” How true that statement has been throughout my career, and how true that is for cybersecurity professionals, who are almost 100% reliant on someone else doing something for them to succeed. As a former chief information security officer (CISO) of Fortune 500 companies with vastly different technology supply chains, from buildings to aircraft to software prod‐ ucts, I understand the challenges of bringing the many teams together to align on how to tackle these responsibilities. It is a complex ecosystem that needs dedicated focus at every step. Having continuity, integrity, and transparency across your tech‐ nology supply chain is critical. And as my former police trainer would be proud to hear me say, the people are critical too. Security is not the job of one person or team alone; it is the job of everyone. What Cassie has brought together in this book is a thoughtful, end-to-end guide of all the moving pieces and considerations that technology and security teams must think about as they build out their products or services. It is a practical blueprint for how to design and implement your security programs with modern supply chain risks in mind, whether you are in software development, manufacturing, critical infrastruc‐ ture, or anything in between. Cassie is one of the very few experts in her craft and draws from her years of hands- on experience managing these processes for complex organizations. She is skilled in managing the broader scope of supply chain risk that has extended beyond a compa‐ ny’s own four walls. Supply chain risk must be considered at all levels of your opera‐ tion, including who you choose to partner with. Every company is an ecosystem. The multifaceted responsibility of supply chain security is therefore not just about what we develop, manufacture, or provide, but is also about the integrity and security of the partners that are built into our businesses. Third- and fourth-party risks are our responsibility. Cassie explains the importance of this lens throughout this book. xiv | Foreword

📄 Page 16

As a venture capital partner, I now have the privilege of working with some of the brightest minds in the business who are looking to solve emerging cyber challenges. It is where innovation meets operation. While the concept of technology supply chain security is not new, the way we work is. Code is everywhere. Risk is everywhere. With the right approach to balancing the technical designs and processes, the gover‐ nance needed for transparency and integrity, and the people aspects of what a suc‐ cessful security program looks like, your chances of success are much higher. Cassie’s willingness to impart her expertise and share it with others exemplifies what makes the cybersecurity community so strong. We are stronger together. Stay safe out there! — Emily Heath General Partner, Cyberstarts Venture Capital Board Member, Gen Digital (NASDAQ: GEN) Board Member, Wiz Board Member, Logicgate Foreword | xv

📄 Page 17

(This page has no text content)

📄 Page 18

Preface Software is everywhere. Trillions of lines of source code are running every part of our lives. A single software vulnerability or ransomware attack can stop entire companies from doing business and cause billions of dollars in revenue loss and business recov‐ ery. Now, more than ever, we need to ensure that our software, firmware, and hard‐ ware are secure to keep our world up and running, safely and securely. Malware, security vulnerabilities, application security, and product security are not new to the software industry, but now these topics have reached mainstream news because of the effects they have on everyone. My part in this became very real when I was visiting my family on the US East Coast the week of the Colonial Pipeline attack.1 I spent two hours waiting in line at the sole gas station within 20 miles that had gas, and then the rest of that afternoon explaining to my family about business continuity and supply chain attacks. Supply chains are critical to our lives. According to Investopedia, “a supply chain is a network of individuals and companies who are involved in creating a product and delivering it to the consumer.”2 The same is true for software. Software usually is developed by multiple individuals, who are often part of multiple organizations or companies. Over time, thousands of developers may have code inside of a single application. For example, I wrote code for ZSoft’s paint.exe, which was sold to Micro‐ soft in the 1980s. I’m certain there are lines of my code still in existence within MS Paint on the Microsoft Windows platform. Nearly 40 years later, an untold number of developers have also contributed their talents to the small, but useful, application. Ensuring software security within the supply chain is difficult, usually due to the lon‐ gevity of code that was written before secure development and secure design practices were in place. Combined with the ever-increasing threat actors who are constantly discovering new ways to exploit code and systems, it will always be difficult to guar‐ antee a product or application’s security, but that should not prevent us from doing our absolute best to secure the software supply chain. xvii

📄 Page 19

Despite the complicated nature of the software supply chain, it is our duty as software producers to establish secure supply chains and provide information to our consum‐ ers. As consumers, we should use this information to address the risks that the supply chain might present to our own organizations. The effort to improve a company’s software supply chain is not small. And it’s not only a software development process problem: software supply chain security requires all parties in the supply chain to participate in order to improve the security posture of software, firmware, and hardware. In this book, I will show you how to implement a software supply chain security pro‐ gram in an organization of any size, but especially for small companies that don’t have dedicated application or supply chain security experts. I will explain why each secu‐ rity control exists, without someone needing a computer science or cybersecurity degree to understand the security risks and the reasons for the controls. This book is not intended to be an all-encompassing set of controls. You can remove any controls that are not applicable and add the controls you need to the controls framework you already have in place. I have included hundreds of references for those needing to follow mandated frameworks, standards, laws, or regulations. How‐ ever, I must caution you to not limit yourself to those frameworks. You should always be extending and adapting your controls to meet the current gaps and risks within your organization. Who Should Read This Book This book is for anyone who has been tasked with the security of third parties, the supply chain, the purchase of products and applications for their organization, open source software, or software developed within their organization. You may or may not have “security” in your title. Anyone entrusted with the selection, production, and operation of software can use this book to understand the risks in the software supply chain and to implement controls and frameworks. The book doesn’t require a cybersecurity background, though some areas will be technical in explanation, with many references to encourage further learning. I’ve created this practical reference to be understood by business and technology leaders, as well as those in the legal, procurement, insurance, and supply chain organ‐ izations. This book is also for security program leaders, whether in the role of CISO (chief information security officer), CPSO (chief product security officer), CSO (chief security officer), GRC (governance, risk, and compliance), application security, or product security. xviii | Preface

📄 Page 20

Why I Wrote This Book My software development story began with a visit to my dad’s work at the IBM manu‐ facturing plant in Rochester, Minnesota, in the mid-1970s. My dad was a program‐ mer, and although I didn’t really understand what he did, I knew it had something to do with making machines that produced interesting and complex things. Years later, I still find software development to be interesting, complex, and full of nuance. As someone who has participated as a developer, project manager, and executive leader in over a thousand releases for consumer and business applications, I understand the practical nature of releasing quality products on time and on budget. In my roles as cybersecurity leader and product security leader, I have also held the responsibility for delivering secure applications, products, systems, and infrastructure for a portfo‐ lio of over 15,000 intelligent products. What led me to my passion for supply chain security, however, is a result of my work with the thousands of vendors in our supply chain. For years I have been meeting with suppliers to discuss their secure development lifecycle, secure testing plans, vul‐ nerability management, third-party risk, and more. These suppliers, who contribute source code, software libraries, components, products, and services, usually do not have the resources of a large, multinational corporation. Identifying the key controls and practices for their specific situation requires an understanding of priorities, risk, and impacts. It’s a collaboration that is extremely important to me, and I’ve written this book specifically for organizations that are eager to improve software supply chain security. Software supply chain security changes rapidly. No doubt there will be new and changed frameworks, documents, regulations, ideas, and links before this book is even published. It is my intention to keep this information as current as possible, so please feel free to sign up for my newsletter. You can also contact me at cassie@supply‐ chainsecurity.pro to send updates, feedback, and corrections; schedule a meeting; or request me as a speaker or guest. Navigating This Book This book is organized as follows: • Chapters 1 and 2 provide an introduction to the concepts of software supply chain security and explanations of the various frameworks and references in sup‐ ply chain risk management. • Chapter 3 summarizes the various infrastructure security controls that need spe‐ cial attention for software supply chain security. • Chapter 4 explores the key practices within a secure development lifecycle and the various frameworks available. Preface | xix