Supply Chain Vulnerabilities
Software supply chain vulnerabilities refer to the potential risks and weaknesses introduced into software products during their development, distribution, and maintenance lifecycle.
- service providers
- Vulnerabilities can be introduced if:
- services have inadequate security measures
- or the communication between these services and the rest of the supply chain is not secured correctly
- Vulnerabilities can be introduced if:
- hardware suppliers
- flaws in hardware
- firmware or low-level software drivers interacting closely with the hardware
- software providers
- makers of libraries, frameworks, and other third-party components used in the software
- software bill-of-materials (SBOM) ^software-bill-of-materials
- is a comprehensive inventory of all components in a software product
- includes:
- primary application code
- all dependencies
- libraries, frameworks, and other third-party components
- aims to provide transparency and visibility into the software supply chain
- help mitigate software supply chain issues
Dependency Analysis and SBOM Tools
The OWASP Dependency-Check is a Software Composition Analysis (SCA) tool that identifies project dependencies and checks if there are any known, publicly disclosed vulnerabilities associated with them.
- useful for creating a software bill of materials (SBOM)
- not its primary function
- can generate a report detailing all the libraries and components used in a software project and their respective versions
- serves as a baseline for creating an SBOM
- includes known vulnerabilities associated with these components
- does not provide all SBOM information, such as licensing information or a complete list of all sub-components
SPDX (Software Package Data Exchange) is an open standard for communicating software bill of material information.
- includes component identification, licensing, and security references
CycloneDX is a lightweight specification designed to provide a more streamlined way to share and analyze SBOM data.