New CS proposal: Software Supply Chain Security

[EbonyAdder]

What is the proposed Cheat Sheet about?

The CS will provide an on overview of SSCS, its relevance to developers, and practical guidance on improving the security of SSCs.

What security issues are commonly encountered related to this area?

• Known vulnerable components used to build software
• Using compromised or insecure third-party services or tools to develop, build, deliver, or otherwise manage software (which may not necessarily be "built" into the software as in the above)
• Compromise of build script or processes
• Compromise of code repositories or packages
• Compromise of deployment processes or runtime environment (such as pulling a malicious update)

What is the objective of the Cheat Sheet?

The main objectives of the cheatsheet are: (1) provide an understanding of the various components which comprise the SSC, (2) identify common threats to the SSC, and (3) provide practical guidance on how developers can mitigate SSC risk.

What other resources exist in this area?

• CISA: Defending Against Software Supply Chain Attacks
• NIST SP 800-161, Rev 1
• NIST SP 800-218
• OWASP ASVS V10
• SAFECode: Managing Managing Security Risks Inherent in the Use of Third-party Components
• SLSA

[mackowski]

Looks awesome, do you want to work on PR @EbonyAdder?

[EbonyAdder]

Thanks @mackowski and sorry for the late response; yes, I would like to work on the PR.

[jmanico]

Thank you Daniel!