Community resources
As supply chain continuously evolves, so must the frameworks that we use to properly secure them. For this effort, we want to make this framework contributable and open as much as possible. If you would like to contribute to the Framework, please view our contribution guidelines in our GitHub repository.
These Community Resources also include links to tools and guidance from across the industry that help achieve the S2C2F requirements.
-
OpenSSF - OpenSSF was co-founded by Microsoft and is a cross-industry collaboration that brings together leaders to improve the security of open source software (OSS) by building a broader community, targeted initiatives, and best practices.
Reproducible Builds - Reproducible builds are a set of software development practices that create an independently-verifiable path from source to binary code. A build is reproducible if an artifact can be recreated bit-by-bit using the same source code, build environment, and build instructions.
SOS Rewards - The Secure Open Source Rewards pilot program financially rewards developers for enhancing the security of critical open source projects that we all depend on.
Software Package Data Exchange (SPDX) - SPDX (ISO/IEC 5962:2021) is an open standard for communicating software bill of material information, including provenance, license, security, and other related information.
OWASP CycloneDX Software Bill of Materials (SBOM) Standard - OWASP CycloneDX is a lightweight Software Bill of Materials (SBOM) standard designed for use in application security contexts and supply chain component analysis.
-
SBOM Tool – Microsoft SBOM Tool is an open-sourced, highly scalable, and enterprise ready tool that creates SPDX 2.2 compatible SBOMs for any variety of artifacts.
GitHub Advanced Security - GitHub has many features that help you improve and maintain the quality of your code. Some security features require a GitHub Advanced Security license to run on repositories apart from public repositories on GitHub. GitHub Advanced Security consists of CodeQL, Code Scanning, Secret Scanning, Security Overview and Dependency Review.
GitHub Packages - GitHub Packages is a platform for hosting and managing packages, including containers and other dependencies. GitHub Packages combines your source code and packages in one place to provide integrated permissions management and billing, so you can centralize your software development on GitHub.
Vcpkg - Vcpkg is a free C and C++ package manager from Microsoft for Windows, Linux and MacOS.
OSS Gadget - OSS Gadget is a collection of tools that can help analyze open source projects. These are intended to make it simple to perform low-level tasks, like locating the source code of a given package, downloading it, performing basic analyses on it, or estimating its health. The tools included in OSS Gadget will grow over time.
DevSkim - DevSkim is a framework of IDE extensions and language analyzers that provide inline security analysis in the dev environment as the developer writes code. It has a flexible rule model that supports multiple programming languages. The goal is to notify the developer as they are introducing a security vulnerability in order to fix the issue at the point of introduction, and to help build awareness for the developer.
Attack Surface Analyzer - Attack Surface Analyzer is an open source security tool that analyzes the attack surface of a target system and reports on potential security vulnerabilities introduced during the installation of software or system misconfiguration.
Application Inspector - Microsoft Application Inspector is a software source code characterization tool that helps identify coding features of first- or third-party software components based on well-known library/API calls. It uses hundreds of rules and regex patterns to surface interesting characteristics of source code to aid in determining what the software is or what it does from what file operations it uses, encryption, shell operations, cloud API's, frameworks and more.
Component Detection - ComponentDetection is a package scanning tool intended to be used at build time. CD produces a graph-based output of all detected components and supports a variety of open source package ecosystems.
Oryx - Oryx is a build system which automatically compiles source code repositories into runnable artifacts. It is used to build web apps for Azure App Service and other platforms.
DotNet.ReproducibleBuilds - This package enables reproducible builds in a single step and documents MSBuild settings useful for enabling reproducibility through isolation.
Azure Artifacts - Azure Artifacts enables developers to share their code efficiently and manage all their packages from one place. With Azure Artifacts, developers can publish packages to their feeds and share it within the same team, across organizations, and even publicly.
Organization Insights & Dependency Graph - Dependency insights can help you track, report, and act on your organization's open source usage. You can view vulnerabilities, licenses, and other important information for the open source projects your organization depends on.
GitHub dependency graph - The dependency graph includes all the dependencies of a repository that are detailed in the manifest and lock files, or their equivalent, for supported ecosystems. Use the dependency graph to view and update vulnerable dependencies for your repository.Dependabot - Dependabot performs a scan to detect vulnerable dependencies and sends Dependabot alerts when a new vulnerability is added to the GitHub Advisory Database or the dependency graph for a repository changes.
Dependency Review - Dependency review lets you catch vulnerable dependencies before you introduce them to your environment, and provides information on license, dependents, and age of dependencies.
-
Duplicating a repository - Learn how to maintain a mirror of a repository without forking it.
NuGet Package Source Mapping - Starting with NuGet 6.0, you can centrally declare which source each package in your solution should restore from in your nuget.config file. The feature is available across all NuGet integrated tooling.
Version pinning and lock files - Specifying precise versions for packages and transitive dependencies, rather than an open range (“3.5.4” rather than “>=3.5” or “3.5.*”), will mitigate forced upgrade or downgrade attacks.
Confidential disclosure guidelines - Vulnerability disclosure is an area where collaboration between vulnerability reporters, such as security researchers, and project maintainers is very important. The initial report of a vulnerability is made privately, and the full details are only published once the maintainer has acknowledged the issue, and ideally made remediations or a patch available, sometimes with a delay to allow more time for the patches to be installed.
Best practices for a secure software supply chain - This document dives deeper into what the term “software supply chain” means, why it matters, and how you can help secure your project’s supply chain with best practices.
3 Ways to Mitigate Risk When Using Private Package Feeds - This white paper discusses configurations that can introduce risk in your software supply chain and how to mitigate these risks.
Who Wants a Thousand Free Puppies? Managing Open Source in the Enterprise – This presentation describes the lessons learned building an OSS security program at Microsoft, explores best practices, and discuss how to tailor those practices effectively within your organization.
Threats, Risks, and Mitigations in the Open Source Ecosystem – The purpose of this document is to build a mutual understanding of the high-level threats, security risks, and potential mitigations associated with the open source ecosystem.
Taxonomy of Attacks on Open-Source Software Supply Chains – This work proposes a general taxonomy for attacks on open source supply chains, independent of specific programming languages or ecosystems, and covering all supply chain stages from code contributions to package distribution.
Software Supply Chain Threats – Google Cloud has released a guide about software supply chain threats and attack vectors.
Supply Chain Risk Management Practices for Federal Information Systems and Organizations - This publication by the National Institute of Standards and Technology (NIST) provides guidance to federal agencies on identifying, assessing, and mitigating information and communications technology (ICT) supply chain risks at all levels of their organizations.
Secure Software Development Framework (SSDF) - This document by NIST describes a set of fundamental, sound practices for secure software development called the Secure Software Development Framework (SSDF).
CIS WorkBench / Benchmarks – The Center for Internet Security (CIS) has developed CIS Benchmarks: more than 100 configuration guidelines across 25+ vendor product families to safeguard systems against today’s evolving cyber threats. Through CIS WorkBench, you can network and collaborate with cybersecurity professionals and help draft configuration recommendations for the CIS Benchmarks.
OWASP Software Component Verification Standard - The Software Component Verification Standard (SCVS) by the Open Web Application Security Project (OWASP) is a community-driven effort to establish a framework for identifying activities, controls, and best practices, which can help in identifying and reducing risk in a software supply chain.
Supply-chain Levels for Software Artifacts (SLSA) – SLSA is a set of standards and technical controls you can adopt to improve artifact integrity, and build towards completely resilient systems.
Software Supply Chain Best Practices – This document by the Cloud Native Computing Foundation (CNCF) aims to offer the community a holistic approach to supply chain security by highlighting the importance of layered defensive practices.
Managing Security Risks Inherent in the Use of Third-party Components - This white paper by Software Assurance Forum for Excellence in Code (SAFECode) provides a blueprint for how to identify, assess and manage the security risks associated with the use of third-party components. The white paper helps to understand these security risks and provides recommendations to help manage them.