Cybersecurity Frameworks & Standards For Securing Software Supply Chains
From NIST SSDF, Google SLSA, Gartner, Mitre & OWASP
Google SLSA & NIST SSDF: Emerging Software Supply Chain Security Best Practices
Google SLSA & NIST SSDF: Emerging Software Supply Chain Security Best Practices
While defacto standard for securing software supply chains does not exist, best practices to improve application security posture are starting to emerge. We have many frameworks to choose from, including NIST SSDF, Google/OpenSSF SLSA, Gartner, Mitre & OWASP. While none of these frameworks are individually comprehensive. They enable us to compile a complete set of best practices.
Watch NowSoftware Supply Chain Cybersecurity Frameworks
Google SLSA
Official SiteGoogle SLSA, announced in mid-2021, is a framework for ensuring the integrity of software artifacts throughout the software supply chain.
NIST SSDF
Official SiteWith its creation spurred by executive order 16025, NIST SSDF is a cybersecurity framework designed to help insure the integrity of critical software infrastructure. While compulsory for federal agencies, this framework may be applied to any government, private, public, or non-profit organization.
Application Security Frameworks
OWASP SAMM
Official SiteOWASP SAMM is short for the Software Assurance Maturity Model. It was created to help organizations formulate and implement a strategy for software security.
PCI DSS
Official SitePCI DSS is a security framework first introduced in 2004 and is required by the contract for those handling cardholder data. This standard was created to increase controls around cardholder data to reduce credit card fraud.
ISO 27001
Official SiteISO 27001 provides requirements for an information security management system. This report covers a company’s controls and its operating effectiveness.
SOC 2 Type II
Official SiteSOC 2 Type II is an audit on how a cloud-based service provider handles sensitive information. This report covers a company’s controls and its operating effectiveness.
FedRAMP
Official SiteThe Federal Risk and Authorization Management Program (FedRAMP) provides a standardized approach to security authorizations for Cloud Service Offerings. This report covers a company’s controls and its operating effectiveness.
MITRE SoT
Official SiteMITRE’s System of Trust (SoT) is a recently announdced framework designed to help evaluate suppliers, supplies, and service providers; this is done to help mitigate software supply chain attacks. MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations, and has helped formulate the SoT.