APPSEC BEST PRACTICES

Cybersecurity Frameworks & Standards For Securing Software Supply Chains

From NIST SSDF, Google SLSA, Gartner, Mitre & OWASP

Google SLSA & NIST SSDF: Emerging Software Supply Chain Security Best Practices

Google SLSA & NIST SSDF: Emerging Software Supply Chain Security Best Practices

While defacto standard for securing software supply chains does not exist, best practices to improve application security posture are starting to emerge. We have many frameworks to choose from, including NIST SSDF, Google/OpenSSF SLSA, Gartner, Mitre & OWASP. While none of these frameworks are individually comprehensive. They enable us to compile a complete set of best practices.

Watch Now

Software Supply Chain Cybersecurity Frameworks

Google SLSA

Official Site

Google SLSA, announced in mid-2021, is a framework for ensuring the integrity of software artifacts throughout the software supply chain.

Full Scope

NIST SSDF

Official Site

With its creation spurred by executive order 16025, NIST SSDF is a framework designed to help insure the integrity of critical software infrastructure. While compulsory for federal agencies, this framework may be applied to any government, private, public, or non-profit organization.

Full Scope
gartner
gartner icon
How Software Engineering Leaders Can Mitigate Software Supply Chain Security Risks

Application Security Frameworks

OWASP SAMM

Official Site

OWASP SAMM is short for the Software Assurance Maturity Model. It was created to help organizations formulate and implement a strategy for software security.

Full Scope

PCI DSS

Official Site

PCI DSS is a security framework first introduced in 2004 and is required by the contract for those handling cardholder data. This standard was created to increase controls around cardholder data to reduce credit card fraud.

Full Scope

ISO 27001

Official Site

ISO 27001 provides requirements for an information security management system. This report covers a company’s controls and its operating effectiveness.

Full Scope

SOC 2 Type II

Official Site

SOC 2 Type II is an audit on how a cloud-based service provider handles sensitive information. This report covers a company’s controls and its operating effectiveness.

Full Scope

FedRAMP

Official Site

The Federal Risk and Authorization Management Program (FedRAMP) provides a standardized approach to security authorizations for Cloud Service Offerings. This report covers a company’s controls and its operating effectiveness.

Full Scope

MITRE SoT

Official Site

MITRE’s System of Trust (SoT) is a recently announdced framework designed to help evaluate suppliers, supplies, and service providers; this is done to help mitigate software supply chain attacks. MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations, and has helped formulate the SoT.

Full Scope