Chapter 34 Further Reading: Supply Chain Security

Essential Reading

"Backstabber's Knife Collection: A Review of Open Source Software Supply Chain Attacks" by Marc Ohm et al. (2020). Comprehensive academic survey of supply chain attack patterns in open-source ecosystems. Categorizes attack vectors and provides a taxonomy for understanding dependency-based attacks.

"Surviving Software Dependencies" by Russ Cox, Communications of the ACM (2019). Written by the creator of Go modules, this article explains why software dependencies are a critical security problem and how language ecosystems can address them. Essential reading for understanding the foundational challenges.

"Taxonomy of Attacks on Open-Source Software Supply Chains" by Ladisa et al. (2023). An extensive taxonomy covering 107 unique attack vectors against open-source supply chains, organized by attack stage and target component. The most comprehensive categorization of supply chain threats to date.

Reports and Case Studies

SolarWinds Investigation Reports. Read the original reports from FireEye/Mandiant, Microsoft, and CISA for the definitive account of the SUNBURST attack: - FireEye: "Highly Evasive Attacker Leverages SolarWinds Supply Chain" (December 2020) - Microsoft: "Analyzing Solorigate" blog series (December 2020 - January 2021) - CISA: Alert AA20-352A and Supplemental Guidance

"XZ Utils Backdoor (CVE-2024-3094) Analysis" by Andres Freund and subsequent analyses. Read Freund's original disclosure on the oss-security mailing list, followed by community analysis of the social engineering campaign and technical backdoor.

Alex Birsan, "Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies" (2021). The original blog post describing the dependency confusion attack technique. A masterclass in creative security research.

Sonatype Annual "State of the Software Supply Chain" Report. Published annually, this report provides current statistics on supply chain attacks, dependency management practices, and ecosystem trends.

Frameworks and Standards

SLSA (Supply-chain Levels for Software Artifacts) Specification. Available at slsa.dev. Read the full specification to understand each level's requirements and the provenance model. The companion guides provide practical implementation advice.

NIST Secure Software Development Framework (SSDF) - SP 800-218. Provides a comprehensive set of secure development practices organized into four practice groups. Increasingly referenced in government procurement requirements.

NIST SP 800-161 Rev. 1: Cybersecurity Supply Chain Risk Management. Comprehensive guidance on managing cybersecurity risks throughout the supply chain, specifically designed for federal agencies but applicable broadly.

CycloneDX SBOM Standard. Available at cyclonedx.org. The OWASP standard for security-focused SBOMs. Read the specification and the use case guides for practical implementation.

in-toto Specification. Available at in-toto.io. The framework for end-to-end supply chain verification. The specification and demo provide a clear understanding of layout-based verification.

Tools Documentation

Sigstore Documentation. Available at docs.sigstore.dev. Covers Cosign (artifact signing), Fulcio (certificate authority), and Rekor (transparency log). Start with the quickstart guide, then read the architectural overview.

Syft and Grype Documentation. Available at github.com/anchore. Syft generates SBOMs; Grype scans them for vulnerabilities. The GitHub repositories contain comprehensive documentation and examples.

OWASP Dependency-Track. Available at dependencytrack.org. A component analysis platform for continuous SBOM monitoring. The documentation covers deployment, SBOM ingestion, policy management, and alerting.

OpenSSF Scorecard. Available at scorecard.dev. Documentation covers the scoring methodology, individual checks, and how to integrate Scorecard into CI/CD pipelines.

Academic and Research Papers

"The Update Framework (TUF) Specification" by Cappos et al. The formal specification for TUF, explaining its threat model, key management architecture, and how it prevents specific attacks against software update systems.

"Software Distribution Transparency and Auditability" by Benjamin Laurie. Explores the application of transparency log concepts (from Certificate Transparency) to software distribution.

"Reproducible Builds: Break a Log, Fix a Build" by Chris Lamb and Stefano Zacchiroli. Academic paper covering the principles, challenges, and state of the reproducible builds movement.

Community Resources

OpenSSF (Open Source Security Foundation). At openssf.org. A cross-industry initiative focused on improving open-source security. Produces Scorecard, Sigstore, SLSA, and other critical projects. Their working groups cover supply chain integrity, vulnerability disclosures, and security tooling.

Reproducible Builds Project. At reproducible-builds.org. Community focused on achieving and verifying reproducible builds. Provides tooling, documentation, and distribution-specific guides.

CISA Supply Chain Security Resources. Available at cisa.gov. Including the ICT Supply Chain Risk Management Task Force publications, which provide practical guidance for organizations of all sizes.

Supply Chain Security Con (S3C). An annual conference focused entirely on supply chain security. Past talks cover practical implementation, research findings, and emerging threats.

Books

"Software Transparency: Supply Chain Security in an Era of a Software-Driven Society" by Chris Hughes and Tony Turner (2023). Covers SBOM implementation, supply chain risk management, and regulatory compliance in a practical, accessible format.

"Securing the Software Supply Chain: Recommended Practices for Developers" by CISA, NSA, and ODNI (2022). A jointly published guide covering supply chain security from the developer's perspective. Free and comprehensive.