Software Supply Chain Best Practices document control breakdown example (Excel)

[Caze121]

Warning - Excel file from an untrusted source (me). Happy to convert this into a more useful and safe format for the group. Software Supply Chain Control List.xlsx

Description

The Secure Software Supply Chain Control List spreadsheet is a worked example on how to separate the Security Best Practices document https://project.linuxfoundation.org/hubfs/CNCF_SSCP_v1.pdf into control elements for practical implementation

Impact

Provides one example of how an organization might reference and implement essential items from the security best practices document. This would still need analysis and additional build out by the implementing organization to add specific information like owner, evidence requirements, and other necessary information specific to their environment. Provided as-is, but happy to answer questions.

Scope

Provided as a sample resource to ongoing activities.

Main changes:

• We removed the securing artefacts category (!!) and instead moved the controls into the Build pipeline or deployments sections as appropriate. This was done to match organizational security strategy and reduce the number of categories.
• Added additional security monitoring steps
• Added additional metadata management and monitoring steps

Format:

• Number
  • Simple numbering scheme with two letter codes for each control objective and three letter numeric codes for the controls. Ex:
    • SSSC - Secure Software Supply Chain
    • SC - Secure Code
    • 1.1.1 - Control designation"
• Control Objective
  • High level control objective for the section
• Category
  • General control category
• Control
  • Control language - generally taken from the best practices document, intended to provide 'at a glance' guidance on the expected outcome
• Assurance level
  • Taken from the best practices document
• Implementation Guidance
  • More detailed language generally taken from the best practices document and simplified for consumption in some cases
• Evidence Recommendations to Validate Implementation
  • Organization specific expectations that describe how the control would be validated for specific techologies and implementations. Removed by the company prior to sharing.
• Control Owner
  • There can be only one… per target
• status
  • Where target is the technology or instance being reviewed
• Notes

[sublimino]

Thank you for the contribution @Caze121!

A public Google Sheet (edit: uploaded) might be a more consumable format for most folks if you can upload it there and enable access to the world.

The approach sounds perfectly reasonable, I look forward to digging through it 🙏

[lumjjb]

This is awesome @Caze121 ! Was looking forward to this!

[lumjjb]

@JonZeolla @nadgowdas will work with @Caze121 on discussing how we can make this available to the community! Would be a good opportunity to write a collaborative blog post about this as well.

@mnm678 will be the STAG rep

[JonZeolla]

👋 @Caze121 I [think I] reached out to you on slack. Talk soon!

[sublimino]

@Caze121 I've uploaded this as a Google Sheet 🙏

[Caze121]

Thank you! On vacation and mostly offline for a bit so really appreciate the help.

Best,

[JonZeolla]

This was contributed under a CC license in https://github.com/cloud-native-security-controls/controls-catalog/pull/19

[JonZeolla]

@lumjjb good to close this one

[lumjjb]

Awesome Thanks @JonZeolla !!

[lumjjb]

@JonZeolla i think we still need to figure out the governance around https://github.com/cloud-native-security-controls/controls-catalog - let's have a chat about this.

[stale[bot]]

This issue has been automatically marked as inactive because it has not had recent activity.

[anvega]

https://github.com/cloud-native-security-controls/controls-catalog/pull/19