Skip to content

Appendix b

Appendix B: Resource Guide

This appendix provides curated resources for readers seeking deeper knowledge in open source security and software supply chain security. Resources are organized by category and annotated to help you identify the most relevant materials for your needs.

Essential Reading

Books

Building Secure and Reliable Systems by Heather Adkins et al. (O'Reilly, 2020)1 Written by Google security and SRE professionals, this book bridges the gap between security and reliability engineering. Freely available online, it offers practical guidance on integrating security throughout the software lifecycle.

Software Transparency: Supply Chain Security in an Era of a Software-Driven Society by Chris Hughes and Tony Turner (Wiley, 2022)2 A comprehensive treatment of software supply chain security with particular emphasis on SBOMs, policy frameworks, and organizational implementation strategies.

Threat Modeling: Designing for Security by Adam Shostack (Wiley, 2014)3 The definitive guide to threat modeling methodology. Essential reading for anyone designing secure systems or evaluating the security posture of software projects.

The Art of Software Security Assessment by Mark Dowd, John McDonald, and Justin Schuh (Addison-Wesley, 2006)4 Though focused on vulnerability discovery, this comprehensive text provides deep understanding of how software vulnerabilities arise—essential context for supply chain security practitioners.

Hacking Kubernetes by Andrew Martin and Michael Hausenblas (O'Reilly, 2021)5 Covers security considerations for containerized environments and Kubernetes, including supply chain concerns specific to cloud-native infrastructure.

Alice and Bob Learn Application Security by Tanya Janca (Wiley, 2020)6 An accessible introduction to application security that covers secure development practices, making it suitable for developers new to security concepts.

Practical Binary Analysis by Dennis Andriesse (No Starch Press, 2018)7 For readers interested in understanding binary-level security analysis, this book covers disassembly, instrumentation, and analysis techniques relevant to verifying software artifacts.

Foundational Papers

"Backstabber's Knife Collection: A Review of Open Source Software Supply Chain Attacks" by Marc Ohm et al. (2020)8 A systematic taxonomy of software supply chain attacks against open source ecosystems. Essential reading for understanding the threat landscape.

"in-toto: Providing farm-to-table guarantees for bits and bytes" by Santiago Torres-Arias et al. (USENIX Security 2019)9 The foundational paper describing the in-toto framework for supply chain integrity, explaining its cryptographic attestation model.

"Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies" by Alex Birsan (2021)10 The original disclosure of the dependency confusion attack vector. Required reading for understanding this critical vulnerability class.

"An Empirical Study of Malicious Code in PyPI Ecosystem" by Ruian Duan et al. (ASE 2020)11 Research analyzing malicious packages in the Python ecosystem, providing data-driven insights into attack patterns and detection approaches.

"A Look at the Security of npm" by Markus Zimmermann et al. (2019)12 Comprehensive security analysis of the npm ecosystem examining maintainer practices, vulnerability propagation, and security risks.

"Reproducible Builds: Increasing the Integrity of Software Supply Chains" by Chris Lamb and Stefano Zacchiroli (IEEE Software 2022)13 Academic treatment of reproducible builds, explaining why they matter and the technical challenges involved in achieving them.

"World of Code: An Infrastructure for Mining the Universe of Open Source VCS Data" by Yuxing Ma et al. (MSR 2019)14 Describes infrastructure for large-scale analysis of open source code, relevant for understanding ecosystem-wide security research methodologies.

"Research Directions in Software Supply Chain Security" by Hasan et al. (ACM TOSEM 2025)15 Peer-reviewed survey identifying research gaps and future directions in supply chain security, providing scholarly foundation for the discipline.

"SoK: Analysis of Software Supply Chain Security by Establishing Secure Design Properties" by Ladisa et al. (arXiv 2024)16 Systematization of Knowledge paper proposing a framework of four attack stages and three security properties (transparency, validity, separation) for evaluating supply chain defenses.

Key Industry Reports

Sonatype State of the Software Supply Chain Report (Annual)17 Comprehensive annual report tracking supply chain attacks, open source consumption trends, and security metrics across major ecosystems.

Snyk State of Open Source Security Report (Annual)18 Data-driven analysis of vulnerability trends, fixing times, and security practices across open source projects.

OpenSSF Scorecard Report19 Periodic reports analyzing security practices across open source projects using the Scorecard framework.

CISA Secure Software Development Framework (SSDF)20 NIST Special Publication 800-218 providing a core set of secure development practices that form the basis for many organizational policies.

CISA Software Bill of Materials (SBOM) Resources21 Official U.S. government guidance on SBOM implementation, including minimum element requirements and sharing practices.

Linux Foundation Census Reports22 Research identifying the most critical open source packages, informing where security investments should be prioritized.

CNCF Software Supply Chain Best Practices White Paper v2 (November 2024)74 Updated guidance from CNCF TAG Security on supply chain security best practices, including persona-based recommendations for developers, operators, and security teams. Referenced by NIST SSDF.

Synopsys Open Source Security and Risk Analysis (OSSRA) Report (Annual)23 Analysis based on audits of commercial codebases, revealing open source usage patterns and risk exposure.

Key Organizations

Standards and Coordination Bodies

Open Source Security Foundation (OpenSSF)24 The primary cross-industry initiative for improving open source security. Hosts working groups on vulnerability disclosure, supply chain integrity, security tooling, and education. Essential for anyone working in this space.

Cybersecurity and Infrastructure Security Agency (CISA)25 U.S. federal agency providing guidance, alerts, and coordination for software security. Key source for government policy and requirements.

MITRE Corporation26 Operates CVE, CWE, ATT&CK, and other foundational security resources. Understanding MITRE's frameworks is essential for security practitioners.

Forum of Incident Response and Security Teams (FIRST)27 Global forum for incident response teams that maintains CVSS and promotes coordinated vulnerability disclosure practices.

Internet Engineering Task Force (IETF)28 Develops internet standards including security protocols relevant to software distribution and verification.

Open Source Foundations

Linux Foundation29 Hosts numerous critical projects including the Linux kernel, Kubernetes, and many supply chain security initiatives including Sigstore and SPDX.

Apache Software Foundation30 Stewards over 350 open source projects with established governance and security response processes. Their security model is worth studying.

Cloud Native Computing Foundation (CNCF)31 Hosts cloud-native projects including Kubernetes, in-toto, and Notary. Maintains security guidelines for cloud-native supply chains.

Open Web Application Security Project (OWASP)32 Produces security guidance, tools, and educational resources. Key projects include Dependency-Check, CycloneDX, and the Software Component Verification Standard.

Python Software Foundation33 Governs Python and PyPI, implementing security features like trusted publishing that serve as models for other ecosystems.

Rust Foundation34 Supports the Rust ecosystem, notable for its memory safety focus and crates.io security practices.

Tooling Reference

Software Composition Analysis (SCA)

OWASP Dependency-Check35 Open source tool that identifies project dependencies and checks for known vulnerabilities. Supports multiple languages and integrates with CI/CD systems.

Grype36 Fast, open source vulnerability scanner for container images and filesystems. Pairs well with Syft for SBOM generation.

Snyk37 Commercial platform (with free tier) for vulnerability scanning, license compliance, and dependency management across multiple ecosystems.

Dependabot38 GitHub-integrated tool that automatically creates pull requests to update vulnerable dependencies. Now part of GitHub's native security features.

Trivy39 Comprehensive scanner for vulnerabilities, misconfigurations, secrets, and SBOM generation in containers, filesystems, and repositories.

SBOM Generation and Management

Syft40 Powerful CLI tool for generating SBOMs from container images and filesystems. Supports SPDX, CycloneDX, and custom formats.

CycloneDX Tools41 Collection of tools for generating, validating, and managing CycloneDX SBOMs across various programming languages.

SPDX Tools42 Official tools for working with SPDX format SBOMs, including validators, converters, and generators.

SBOM Scorecard43 Tool for evaluating the quality and completeness of SBOMs against best practices.

Signing and Verification

Sigstore44 Free, open infrastructure for signing and verifying software artifacts. Includes Cosign, Fulcio, and Rekor components.

Cosign45 Tool for signing and verifying container images and other artifacts. Supports keyless signing via Sigstore.

The Update Framework (TUF)46 Framework for securing software update systems against various attack types. Used by PyPI, RubyGems, and others.

Notary47 CNCF project implementing TUF for container image signing and verification.

Supply Chain Security Frameworks

SLSA Tools48 Generators and verifiers for SLSA provenance, with GitHub Actions integration.

OpenSSF Scorecard49 Automated tool that assesses open source project security practices against a defined set of checks.

in-toto50 Framework for generating and verifying supply chain metadata through cryptographic attestations.

OSS Gadget51 Microsoft's collection of tools for analyzing open source packages, including health metrics and security checks.

Static Analysis

CodeQL52 Semantic code analysis engine from GitHub. Query language enables sophisticated vulnerability detection. Free for open source.

Semgrep53 Fast, open source static analysis tool with an extensive rule library. Supports custom rule creation.

Capslock54 Capability analysis for Go, Rust, and Java. Maps what dependencies can access (files, network, exec) to enforce least privilege and detect supply chain anomalies.

SonarQube55 Platform for continuous code quality and security inspection. Community edition is free and open source.

Bandit56 Python-focused security linter that finds common security issues in Python code.

Fuzzing

OSS-Fuzz57 Google's continuous fuzzing service for critical open source projects. Provides infrastructure and integration support.

AFL++58 Community-maintained fork of American Fuzzy Lop with improved performance and features.

ClusterFuzz59 Scalable fuzzing infrastructure that powers OSS-Fuzz. Available for self-hosting.

Secret Detection

Gitleaks60 Fast, open source tool for detecting secrets in git repositories.

TruffleHog61 Scans repositories for high-entropy strings and known credential patterns.

detect-secrets62 Yelp's audited tool for preventing secrets from entering codebases.

Conferences and Community Events

Major Security Conferences

Black Hat63 Premier security conference featuring cutting-edge research presentations. Supply chain security tracks have grown significantly in recent years.

DEF CON64 Largest hacker convention with villages dedicated to specific security domains. Excellent for hands-on learning and community engagement.

RSA Conference65 Major enterprise security conference with significant vendor presence and policy discussions.

USENIX Security Symposium66 Academic security conference publishing peer-reviewed research, including foundational supply chain security papers.

Open Source and DevSecOps Events

Open Source Summit67 Linux Foundation's flagship event combining multiple conferences including Open Source Security Summit.

KubeCon + CloudNativeCon68 Premier cloud-native conference with extensive supply chain security content. Co-located events include SupplyChainSecurityCon.

SupplyChainSecurityCon69 Dedicated conference focusing specifically on software supply chain security topics.

OWASP Global AppSec70 Application security conference with strong focus on practical security implementation.

PackagingCon71 Conference dedicated to software package management, relevant for understanding ecosystem security.

Community Meetups and Working Groups

OpenSSF Working Groups72 Regular meetings of OpenSSF working groups are open to public participation. Excellent way to contribute to industry initiatives.

CNCF Security TAG73 Technical Advisory Group on security for cloud-native projects. Publishes guidance and reviews project security.

Package Manager Security Summits Informal gatherings of package manager maintainers to discuss shared security challenges. Watch OpenSSF announcements for scheduling.

Training and Certification Programs

Free Online Courses

OpenSSF Secure Software Development Fundamentals75 Free, self-paced course covering secure development practices. Provides certificate upon completion.

OpenSSF Developing Secure Software (LFD121)76 Comprehensive course on secure software development fundamentals offered through Linux Foundation.

OWASP Web Security Testing Guide77 While not a formal course, this comprehensive guide serves as an excellent self-study resource.

Google's Secure Coding Practices78 Collection of security guides and best practices from Google covering various platforms and languages.

Professional Certifications

Certified Secure Software Lifecycle Professional (CSSLP)79 ISC2 certification focused on incorporating security throughout the software lifecycle.

GIAC Secure Software Programmer (GSSP)80 SANS certification demonstrating secure coding competency in specific languages.

Certified Kubernetes Security Specialist (CKS)81 Linux Foundation certification covering Kubernetes security including supply chain considerations.

SANS Secure Coding Courses82 Industry-recognized training covering secure development across multiple languages and platforms.

Linux Foundation Security Training83 Various courses on container security, Kubernetes security, and secure development practices.

Newsletters, Blogs, and Ongoing Learning

Newsletters

tl;dr sec84 Weekly newsletter curating security content with excellent coverage of supply chain security topics. Highly recommended.

This Week in Security85 Weekly security news roundup covering vulnerabilities, incidents, and industry developments.

Risky Business86 Security news podcast with excellent analysis of significant security events.

Software Supply Chain Security Newsletter87 Focused specifically on supply chain security news and developments.

Blogs and Publications

OpenSSF Blog88 Official blog covering OpenSSF initiatives, research, and community updates.

Trail of Bits Blog89 Technical security research from a leading security firm. Frequently covers supply chain topics.

Google Security Blog90 Official Google security blog with announcements about SLSA, Sigstore, and other initiatives.

Chainguard Blog91 Focused on supply chain security, container security, and Sigstore ecosystem.

Socket.dev Blog92 Analysis of supply chain attacks and package security across ecosystems.

Snyk Blog93 Regular vulnerability analyses, security research, and best practice guides.

Vulnerability Databases and Feeds

National Vulnerability Database (NVD)94 Official U.S. government repository of CVE data with CVSS scores and analysis.

GitHub Advisory Database95 Curated database of security advisories with direct links to affected packages.

OSV (Open Source Vulnerabilities)96 Google-maintained vulnerability database with API access and ecosystem coverage.

VulnDB97 Commercial vulnerability intelligence with broader coverage than NVD alone.

Resources in this guide were verified as of the publication date. For the most current links and additional resources, visit the book's companion website or the OpenSSF resource collection.

  1. Google, "Building Secure and Reliable Systems," 2020, https://sre.google/books/building-secure-reliable-systems/ 

  2. Wiley, "Software Transparency: Supply Chain Security in an Era of a Software-Driven Society," 2022, https://www.wiley.com/en-us/Software+Transparency-p-9781119986362 

  3. Adam Shostack, "Threat Modeling: Designing for Security," 2014, https://shostack.org/books/threat-modeling-book 

  4. Pearson, "The Art of Software Security Assessment," 2006, https://www.pearson.com/en-us/subject-catalog/p/art-of-software-security-assessment-the-identifying-and-preventing-software-vulnerabilities/P200000009486 

  5. O'Reilly, "Hacking Kubernetes," 2021, https://www.oreilly.com/library/view/hacking-kubernetes/9781492081722/ 

  6. Wiley, "Alice and Bob Learn Application Security," 2020, https://www.wiley.com/en-us/Alice+and+Bob+Learn+Application+Security-p-9781119687405 

  7. No Starch Press, "Practical Binary Analysis," 2018, https://nostarch.com/binaryanalysis 

  8. Marc Ohm et al., "Backstabber's Knife Collection: A Review of Open Source Software Supply Chain Attacks," 2020, https://arxiv.org/abs/2005.09535 

  9. Santiago Torres-Arias et al., "in-toto: Providing farm-to-table guarantees for bits and bytes," USENIX Security 2019, https://www.usenix.org/conference/usenixsecurity19/presentation/torres-arias 

  10. Alex Birsan, "Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies," 2021, https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610 

  11. Ruian Duan et al., "An Empirical Study of Malicious Code in PyPI Ecosystem," ASE 2020, https://arxiv.org/abs/2309.11021 

  12. Markus Zimmermann et al., "A Look at the Security of npm," 2019, https://arxiv.org/abs/1902.09217 

  13. Chris Lamb and Stefano Zacchiroli, "Reproducible Builds: Increasing the Integrity of Software Supply Chains," IEEE Software 2022, https://arxiv.org/abs/2104.06020 

  14. Yuxing Ma et al., "World of Code: An Infrastructure for Mining the Universe of Open Source VCS Data," MSR 2019, https://arxiv.org/abs/1906.07083 

  15. Hasan et al., "Research Directions in Software Supply Chain Security," ACM TOSEM, 2025, https://dl.acm.org/doi/abs/10.1145/3714464 

  16. Ladisa et al., "SoK: Analysis of Software Supply Chain Security by Establishing Secure Design Properties," arXiv:2406.10109, 2024, https://arxiv.org/abs/2406.10109 

  17. Sonatype, "State of the Software Supply Chain Report," https://www.sonatype.com/state-of-the-software-supply-chain 

  18. Snyk, "State of Open Source Security Report," https://snyk.io/reports/open-source-security/ 

  19. OpenSSF, "OpenSSF Blog," https://openssf.org/blog/ 

  20. NIST, "Secure Software Development Framework (SSDF)," https://csrc.nist.gov/Projects/ssdf 

  21. CISA, "Software Bill of Materials (SBOM)," https://www.cisa.gov/sbom 

  22. Linux Foundation, "Research," https://www.linuxfoundation.org/research 

  23. Synopsys, "Open Source Security and Risk Analysis (OSSRA) Report," https://www.synopsys.com/software-integrity/resources/analyst-reports/open-source-security-risk-analysis.html 

  24. Open Source Security Foundation, "OpenSSF," https://openssf.org 

  25. CISA, "Cybersecurity and Infrastructure Security Agency," https://www.cisa.gov 

  26. MITRE, "MITRE Corporation," https://www.mitre.org 

  27. FIRST, "Forum of Incident Response and Security Teams," https://www.first.org 

  28. IETF, "Internet Engineering Task Force," https://www.ietf.org 

  29. Linux Foundation, "Linux Foundation," https://www.linuxfoundation.org 

  30. Apache Software Foundation, "Apache Software Foundation," https://www.apache.org 

  31. CNCF, "Cloud Native Computing Foundation," https://www.cncf.io 

  32. OWASP, "Open Web Application Security Project," https://owasp.org 

  33. Python Software Foundation, "Python Software Foundation," https://www.python.org/psf/ 

  34. Rust Foundation, "Rust Foundation," https://foundation.rust-lang.org 

  35. OWASP, "OWASP Dependency-Check," https://owasp.org/www-project-dependency-check/ 

  36. Anchore, "Grype," https://github.com/anchore/grype 

  37. Snyk, "Snyk," https://snyk.io 

  38. GitHub, "Dependabot," https://github.com/dependabot 

  39. Aqua Security, "Trivy," https://github.com/aquasecurity/trivy 

  40. Anchore, "Syft," https://github.com/anchore/syft 

  41. CycloneDX, "CycloneDX Tool Center," https://cyclonedx.org/tool-center/ 

  42. SPDX, "SPDX Tools," https://spdx.dev/tools/ 

  43. eBay, "SBOM Scorecard," https://github.com/eBay/sbom-scorecard 

  44. Sigstore, "Sigstore," https://www.sigstore.dev 

  45. Sigstore, "Cosign," https://github.com/sigstore/cosign 

  46. TUF, "The Update Framework," https://theupdateframework.io 

  47. Notary Project, "Notary," https://github.com/notaryproject/notary 

  48. SLSA, "SLSA Get Started," https://slsa.dev/get-started 

  49. OpenSSF, "Security Scorecards," https://securityscorecards.dev 

  50. in-toto, "in-toto," https://in-toto.io 

  51. Microsoft, "OSS Gadget," https://github.com/microsoft/OSSGadget 

  52. GitHub, "CodeQL," https://codeql.github.com 

  53. Semgrep, "Semgrep," https://semgrep.dev 

  54. Capslock Project, https://capslock-project.github.io 

  55. SonarSource, "SonarQube," https://www.sonarqube.org 

  56. Bandit, "Bandit," https://bandit.readthedocs.io 

  57. Google, "OSS-Fuzz," https://google.github.io/oss-fuzz/ 

  58. AFL++, "AFL++," https://aflplus.plus 

  59. Google, "ClusterFuzz," https://google.github.io/clusterfuzz/ 

  60. Gitleaks, "Gitleaks," https://github.com/gitleaks/gitleaks 

  61. Truffle Security, "TruffleHog," https://github.com/trufflesecurity/trufflehog 

  62. Yelp, "detect-secrets," https://github.com/Yelp/detect-secrets 

  63. Black Hat, "Black Hat," https://www.blackhat.com 

  64. DEF CON, "DEF CON," https://defcon.org 

  65. RSA Conference, "RSA Conference," https://www.rsaconference.com 

  66. USENIX, "USENIX Conferences," https://www.usenix.org/conferences 

  67. Linux Foundation, "Linux Foundation Events," https://events.linuxfoundation.org 

  68. Linux Foundation, "KubeCon + CloudNativeCon," https://events.linuxfoundation.org/kubecon-cloudnativecon-north-america/ 

  69. Linux Foundation, "SupplyChainSecurityCon," https://events.linuxfoundation.org 

  70. OWASP, "OWASP Events," https://owasp.org/events/ 

  71. PackagingCon, "PackagingCon," https://packaging-con.org 

  72. OpenSSF, "OpenSSF Community," https://openssf.org/community/ 

  73. CNCF, "CNCF Security TAG," https://github.com/cncf/tag-security 

  74. CNCF TAG Security, "Software Supply Chain Best Practices v2," November 2024, https://tag-security.cncf.io/blog/software-supply-chain-security-best-practices-v2/ 

  75. OpenSSF, "OpenSSF Training Courses," https://openssf.org/training/courses/ 

  76. Linux Foundation, "Developing Secure Software (LFD121)," https://training.linuxfoundation.org/training/developing-secure-software-lfd121/ 

  77. OWASP, "Web Security Testing Guide," https://owasp.org/www-project-web-security-testing-guide/ 

  78. Google, "Google Developers Security," https://developers.google.com/security 

  79. ISC2, "Certified Secure Software Lifecycle Professional (CSSLP)," https://www.isc2.org/Certifications/CSSLP 

  80. GIAC, "GIAC Secure Software Programmer," https://www.giac.org/certifications/secure-software-programmer-java-gssp-java/ 

  81. Linux Foundation, "Certified Kubernetes Security Specialist (CKS)," https://training.linuxfoundation.org/certification/certified-kubernetes-security-specialist/ 

  82. SANS, "Secure Software Development Courses," https://www.sans.org/cyber-security-courses/?focus-area=secure-software-development 

  83. Linux Foundation, "Linux Foundation Training," https://training.linuxfoundation.org/training/ 

  84. tl;dr sec, "tl;dr sec Newsletter," https://tldrsec.com 

  85. Teleport, "This Week in Security," https://this.teleport.com/thisweekin/ 

  86. Risky Business, "Risky Business," https://risky.biz 

  87. SCSC News, "Software Supply Chain Security Newsletter," https://scscnews.com 

  88. OpenSSF, "OpenSSF Blog," https://openssf.org/blog/ 

  89. Trail of Bits, "Trail of Bits Blog," https://blog.trailofbits.com 

  90. Google, "Google Security Blog," https://security.googleblog.com 

  91. Chainguard, "Chainguard Blog," https://www.chainguard.dev/unchained 

  92. Socket, "Socket.dev Blog," https://socket.dev/blog 

  93. Snyk, "Snyk Blog," https://snyk.io/blog/ 

  94. NIST, "National Vulnerability Database," https://nvd.nist.gov 

  95. GitHub, "GitHub Advisory Database," https://github.com/advisories 

  96. Google, "Open Source Vulnerabilities (OSV)," https://osv.dev 

  97. Flashpoint, "VulnDB," https://vulndb.cyberriskanalytics.com