└── README.md


/README.md:
--------------------------------------------------------------------------------
  1 | # Software Supply Chain Security
  2 | 
  3 | ## Introduction
  4 | A knowledge base comprising **Software Supply Chain Security** initiatives, standards, regulations, organizations, vendors, tooling, books, articles and a plethora of other learning resources from the web. The list was initially compiled to help me with my research on the topic of Software Supply Chain Security. I've now made the list public for the benefit of everyone else working in this domain. I will endeavour to keep the list up to date as best as I can.
  5 | 
  6 | ## Organizations, Foundations, Working Groups
  7 | ### National Telecommunications and Information Administration ([NTIA](https://www.ntia.gov/))
  8 | * [NTIA SBOM Resources](https://www.ntia.gov/page/software-bill-materials)
  9 | * [SBOM FAQ](https://www.ntia.doc.gov/files/ntia/publications/sbom_faq_-_fork_for_october_22_meeting.pdf)
 10 | * [How-To Guide for SBOM Generation](https://www.ntia.gov/files/ntia/publications/howto_guide_for_sbom_generation_v1.pdf)
 11 | * [The Minimum Elements For a Software Bill of Materials (SBOM)](https://www.ntia.gov/report/2021/minimum-elements-software-bill-materials-sbom), [[PDF](https://www.ntia.gov/sites/default/files/publications/sbom_minimum_elements_report_0.pdf)]
 12 | 
 13 | ### Cybersecurity and Infrastructure Security Agency ([CISA](https://www.cisa.gov/)) 
 14 | * [CISA SBOM Resources](https://www.cisa.gov/sbom)
 15 | * [Types of Software Bill of Material (SBOM) Documents](https://www.cisa.gov/sites/default/files/2023-04/sbom-types-document-508c.pdf)
 16 | * [Software Bill of Materials (SBOM) Sharing Lifecycle Report](https://www.cisa.gov/sites/default/files/2023-04/sbom-sharing-lifecycle-report_508.pdf), April 2023
 17 | * [SBOM-a-rama 2023 Recordings](https://www.cisa.gov/news-events/events/sbom-rama)
 18 | * [SBOM-a-rama 2021 Recordings](https://www.cisa.gov/resources-tools/resources/cisa-sbom-rama)
 19 | * [CISA recommendations on Defending Against Software Supply Chain Attacks](https://www.cisa.gov/sites/default/files/publications/defending_against_software_supply_chain_attacks_508_1.pdf), CISA, April 2021
 20 | * [CISA Security-by-Design and -Default guidance](https://www.cisa.gov/resources-tools/resources/secure-by-design-and-default)
 21 | * [2022 Top Routinely Exploited Vulnerabilities](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-215a), [[PDF](https://www.cisa.gov/sites/default/files/2023-08/aa23-215a_joint_csa_2022_top_routinely_exploited_vulnerabilities.pdf)]
 22 | * [Transforming the Vulnerability Management Landscape](https://www.cisa.gov/news-events/news/transforming-vulnerability-management-landscape) - CISA blog on outlining three critical steps to advance the vulnerability management ecosystem.
 23 | * [CISA Open Source Software Security Roadmap](https://www.cisa.gov/resources-tools/resources/cisa-open-source-software-security-roadmap), [[PDF](https://www.cisa.gov/sites/default/files/2023-09/CISA-Open-Source-Software-Security-Roadmap-508c%20%281%29.pdf)]
 24 | * [CISA Hardware Bill of Materials (HBOM) Framework for Supply Chain Risk Management](https://www.cisa.gov/resources-tools/resources/hardware-bill-materials-hbom-framework-supply-chain-risk-management), [[PDF](https://www.cisa.gov/sites/default/files/2023-09/A%20Hardware%20Bill%20of%20Materials%20Framework%20for%20Supply%20Chain%20Risk%20Management%20%28508%29.pdf)]
 25 | * [Improving Security of Open Source Software (OSS) in Operational Technology (OT) and Industrial Control Systems (ICS)](https://www.cisa.gov/sites/default/files/2023-10/Fact_Sheet_Improving_OSS_in_OT_ICS_508c.pdf)
 26 | * [CISA Software Identification Ecosystem Option Analysis white paper](https://www.cisa.gov/news-events/news/cisa-issues-request-comment-software-identification-ecosystem-analysis-white-paper), [[PDF](https://www.cisa.gov/sites/default/files/2023-10/Software-Identification-Ecosystem-Option-Analysis-508c.pdf)]
 27 | * [Securing the Software Supply Chain: Recommended Practices for Software Bill of Materials Consumption](https://www.cisa.gov/news-events/alerts/2023/11/09/cisa-nsa-and-partners-release-new-guidance-securing-software-supply-chain), [[PDF](https://media.defense.gov/2023/Nov/09/2003338086/-1/-1/0/SECURING%20THE%20SOFTWARE%20SUPPLY%20CHAIN%20RECOMMENDED%20PRACTICES%20FOR%20SOFTWARE%20BILL%20OF%20MATERIALS%20CONSUMPTION.PDF)], November 2023
 28 | * [Securing the Software Supply Chain: Recommended Practices for Managing Open-Source Software and Software Bill of Materials](https://media.defense.gov/2023/Dec/11/2003355557/-1/-1/1/ESF_SECURING_THE_SOFTWARE_SUPPLY_CHAIN%20RECOMMENDED%20PRACTICES%20FOR%20MANAGING%20OPEN%20SOURCE%20SOFTWARE%20AND%20SOFTWARE%20BILL%20OF%20MATERIALS.PDF), December 2023
 29 | 
 30 | ### The White House - Office of the National Cyber Director ([ONCD](https://www.whitehouse.gov/oncd/))
 31 | * [Request for Information: Open-Source Software Security: Areas of Long-Term Focus and Prioritization](https://www.regulations.gov/document/ONCD-2023-0002-0001), [[Public comments to RFI](https://www.regulations.gov/document/ONCD-2023-0002-0001/comment)]
 32 | * [National Cybersecurity Strategy 2023](https://www.whitehouse.gov/wp-content/uploads/2023/03/National-Cybersecurity-Strategy-2023.pdf)
 33 | 
 34 | ### National Institute of Standards and Technology ([NIST](https://www.nist.gov/))
 35 | * [Improving the Nation's Cybersecurity: NIST’s Responsibilities Under the May 2021 Executive Order](https://www.nist.gov/itl/executive-order-14028-improving-nations-cybersecurity)
 36 | * [NIST SP 800-218: Secure Software Development Framework (SSDF)](https://csrc.nist.gov/Projects/ssdf)
 37 | * [NIST SP 800-204D - Strategies for the Integration of Software Supply Chain Security in DevSecOps CI/CD pipelines](https://csrc.nist.gov/pubs/sp/800/204/d/ipd), [[PDF](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-204D.ipd.pdf)], (Initial Public Draft) - August 2023, Comments Due Date: October 13, 2023
 38 | * [NIST SP 800-161 Rev.1: Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations](https://csrc.nist.gov/pubs/sp/800/161/r1/final), May 2022
 39 | 
 40 | ### Open Worldwide Application Security Project ([OWASP](https://owasp.org/))
 41 | * [OWASP Software Component Verification Standard](https://owasp.org/www-project-software-component-verification-standard/)
 42 | * [OWASP Top 10 CI/CD Security Risks](https://owasp.org/www-project-top-10-ci-cd-security-risks/)
 43 | * [OWASP CycloneDX](https://owasp.org/www-project-cyclonedx/)
 44 | * [OWASP BOM Maturity Model](https://scvs.owasp.org/bom-maturity-model/)
 45 | * [Article on Component Analysis](https://owasp.org/www-community/Component_Analysis) by [Steve Springett](https://www.linkedin.com/in/stevespringett/)
 46 | 
 47 | ### Open Source Security Foundation ([OpenSSF](https://openssf.org/))
 48 | * [The Open Source Software Security Mobilization Plan](https://openssf.org/oss-security-mobilization-plan/)
 49 | * [OpenSSF Working Groups](https://openssf.org/community/openssf-working-groups/)
 50 | * [OpenSSF sigstore](https://www.sigstore.dev/)
 51 | * [Securing Your Software Supply Chain with Sigstore Course](https://openssf.org/training/securing-your-software-supply-chain-with-sigstore-course/)
 52 | * [OpenSSF Scorecard](https://securityscorecards.dev/), [[GitHub](https://github.com/ossf/scorecard)]
 53 | * [OpenSSF Source Code Management Best Practices Guide](https://best.openssf.org/SCM-BestPractices/)
 54 | * [OpenSSF Threat Model of Enterprise Open Source Supply Chains](https://docs.google.com/document/d/1lLCsT0a5vp6FcvquWPzx8AzhFMORyw-4rd9WSyUO9zI)
 55 | * [SBOMit: Adding Verification to SBOMs](https://openssf.org/blog/2023/12/13/introducing-sbomit-adding-verification-to-sboms/), [[GitHub](https://github.com/SBOMit/specification/)]
 56 | 
 57 | ### Cloud Native Computing Foundation ([CNCF](https://www.cncf.io/))
 58 | * [Software Supply Chain Security](https://github.com/cncf/tag-security/tree/main/supply-chain-security)
 59 | * [CNCF Software Supply Chain Best Practices](https://project.linuxfoundation.org/hubfs/CNCF_SSCP_v1.pdf), [[GitHub](https://github.com/cncf/tag-security/blob/main/supply-chain-security/supply-chain-security-paper/CNCF_SSCP_v1.pdf)]
 60 | * [Secure Software Factory Reference Architecture](https://github.com/cncf/tag-security/blob/main/supply-chain-security/secure-software-factory/Secure_Software_Factory_Whitepaper.pdf)
 61 | * [Factory for Repeatable Secure Creation of Artifacts (FRSCA)](https://github.com/buildsec/frsca)
 62 | 
 63 | ### [Software Transparency Foundation](https://st.foundation/)
 64 | * [OSSKB.org](https://osskb.org/)
 65 | 
 66 | ## Regulations
 67 | * [EO-14028 - Executive Order on Improving the Nation’s Cybersecurity](https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/), May 12, 2021
 68 | * [The European Cyber Resilience Act (CRA)](https://www.european-cyber-resilience-act.com/), September 2022
 69 | 
 70 | ## Standards, Frameworks, Best Practices
 71 | * [Supply-chain Levels for Software Artifacts (SLSA)](https://slsa.dev/), [[GitHub](https://github.com/slsa-framework/slsa)], [[Google](https://security.googleblog.com/2021/06/introducing-slsa-end-to-end-framework.html)]
 72 | * [OWASP Software Component Verification Standard (SCVS)](https://owasp.org/www-project-software-component-verification-standard/)
 73 | * [NIST SP 800-218: Secure Software Development Framework (SSDF)](https://csrc.nist.gov/Projects/ssdf)
 74 | * [NIST recommendations on Defending Against Software Supply Chain Attacks](https://www.cisa.gov/sites/default/files/publications/defending_against_software_supply_chain_attacks_508_1.pdf), NIST, April 2021
 75 | * [OASIS Common Security Advisory Framework (CSAF)](https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=csaf), [[GitHub](https://oasis-open.github.io/csaf-documentation/index.html)] - Common Security Advisory Framework (CSAF) is a language to exchange Security Advisories and allows stakeholders to automate the creation and consumption of security vulnerability information and remediation.
 76 | * [Defending Continuous Integration/Continuous Delivery (CI/CD) Environments](https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3441780/nsa-and-cisa-best-practices-to-secure-cloud-continuous-integrationcontinuous-de/), NSA and CISA joint Cybersecurity Information Sheet (CSI), June 2023
 77 | * [Securing the Software Supply Chain: Recommended Practices Guide for Customers](https://media.defense.gov/2022/Nov/17/2003116445/-1/-1/0/ESF_SECURING_THE_SOFTWARE_SUPPLY_CHAIN_CUSTOMER.PDF), ESF Partners, NSA, and CISA Release Software Supply Chain Guidance for Customers [[Press Release](https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3221208/esf-partners-nsa-and-cisa-release-software-supply-chain-guidance-for-customers/)], November 2022
 78 | * [Securing the Software Supply Chain: Recommended Practices Guide for Suppliers](https://media.defense.gov/2022/Oct/31/2003105368/-1/-1/0/SECURING_THE_SOFTWARE_SUPPLY_CHAIN_SUPPLIERS.PDF), ESF Partners, NSA, and CISA Release Software Supply Chain Guidance for Suppliers [[Press Release](https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3204427/esf-partners-nsa-and-cisa-release-software-supply-chain-guidance-for-suppliers/)], October 2022
 79 | * [Securing the Software Supply Chain: Recommended Practices Guide for Developers](https://media.defense.gov/2022/Sep/01/2003068942/-1/-1/0/ESF_SECURING_THE_SOFTWARE_SUPPLY_CHAIN_DEVELOPERS.PDF), NSA, CISA, ODNI Release Software Supply Chain Guidance for Developers [[Press Release](https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3146465/nsa-cisa-odni-release-software-supply-chain-guidance-for-developers/)], August 2022
 80 | * [CIS Software Supply Chain Security Guide v1.0](https://www.cisecurity.org/insights/white-papers/cis-software-supply-chain-security-guide), June 2022
 81 | * [NSA CSI on Recommendations for Software Bill of Materials (SBOM) Management](https://media.defense.gov/2023/Dec/14/2003359097/-1/-1/0/CSI-SCRM-SBOM-MANAGEMENT.PDF), December 2023
 82 | * [Microsoft Secure Supply Chain Consumption Framework (S2C2F)](https://www.microsoft.com/en-us/security/blog/2022/11/16/microsoft-contributes-s2c2f-to-openssf-to-improve-supply-chain-security/)[[GitHub]](https://github.com/ossf/s2c2f)
 83 | * [Blueprint for building modern, secure software development pipelines](https://github.com/Venafi/blueprint-securesoftwarepipeline)
 84 | * [in-toto](https://in-toto.io/) [[GitHub](https://github.com/in-toto/community)] - A framework to secure the integrity of software supply chains. It does so by verifying that each task in the chain is carried out as planned, by authorized personnel only, and that the product is not tampered with in transit.
 85 | * [Trusted Attestation and Compliance for Open Source (TACOS) Framework](https://github.com/tacosframework) - TACOS is a framework for attesting to the secure software development practices of open source packages.
 86 | * [The Update Framework (TUF)](https://theupdateframework.io/), [Repository Service for TUF (RSTUF)](https://github.com/repository-service-tuf/repository-service-tuf) - A framework for securing software update systems
 87 | * [ODNI Supply Chain Risk Management Documentation](https://www.odni.gov/index.php/ncsc-what-we-do/ncsc-supply-chain-threats)
 88 | * [Supply Chain Integrity, Transparency, and Trust (SCITT)](https://scitt.io/), [[GitHub](https://github.com/ietf-scitt)], [[SCIM GitHub](https://github.com/microsoft/scim)] - The Supply Chain Integrity, Transparency and Trust (SCITT) initiative is a set of proposed IETF industry standards for managing the compliance of goods and services across end-to-end supply chains.
 89 | * [MITRE Supply Chain Security System of Trust (SoT) initiative](https://sot.mitre.org/)
 90 | * [OpenPubkey Project](https://www.bastionzero.com/openpubkey), [[GitHub](https://github.com/openpubkey/openpubkey)], [[Signing Docker Official Images Using OpenPubkey](https://www.docker.com/blog/signing-docker-official-images-using-openpubkey/)]
 91 | * [Tekton Chains](https://tekton.dev/) - Artifact signatures and attestations for Tekton CI/CD systems
 92 | * [Notary](https://notaryproject.dev/), [[GitHub](https://github.com/notaryproject/.github/blob/main/README.md)] - A CNCF incubating project aiming to provide enterprise-grade solutions and cross-industry standards for Signing and validating software artifacts.
 93 | 
 94 | ## Software Supply Chain Threats
 95 | #### Threats
 96 | * [SLSA Threats & Mitigations](https://slsa.dev/spec/v1.0/threats)
 97 | * [Google article on Software Supply Chain Threats](https://cloud.google.com/software-supply-chain-security/docs/attack-vectors)
 98 | * [MITRE ATT&CK Supply Chain Compromise Techniques](https://attack.mitre.org/techniques/T1195/)
 99 | * [CAPEC Supply-Chain Attack Vectors](https://capec.mitre.org/data/definitions/437.html)
100 | * [CNCF Catalog of Types of Supply Chain Compromises](https://github.com/cncf/tag-security/blob/main/supply-chain-security/compromises/compromise-definitions.md)
101 | * [Open Software Supply Chain Attack Reference (OSC&R)](https://pbom.dev/), [[GitHub](https://github.com/pbom-dev/OSCAR)]
102 | * [OWASP Top 10 CI/CD Security Risks](https://owasp.org/www-project-top-10-ci-cd-security-risks/)
103 | * [Microsoft Open Source Software Supply Chain Threats catalogue](https://www.microsoft.com/en-us/securityengineering/opensource/ossthreats)
104 | * [Top 10 Open Source Software (OSS) Risks](https://www.endorlabs.com/top-10-open-source-risks), [[PDF](https://22601473.fs1.hubspotusercontent-na1.net/hubfs/22601473/EndorLabs_Top10_OSS_Risks.pdf)]
105 | 
106 | 
107 | #### Attacks / Compromises
108 | * [Worldwide software supply chain attacks tracker (updated daily)](https://www.comparitech.com/software-supply-chain-attacks/)
109 | * [CNCF Tag Security - Catalog of Supply Chain Compromises](https://github.com/cncf/tag-security/tree/main/supply-chain-security/compromises)
110 | * [IQT Labs - Software Supply Chain Compromises](https://github.com/IQTLabs/software-supply-chain-compromises)
111 | * [ReversingLabs - A (Partial) History of Software Supply Chain Attacks](https://www.reversinglabs.com/blog/a-partial-history-of-software-supply-chain-attacks)
112 | * [Sonatype - A History of Software Supply Chain Attacks - July 2017–Present](https://www.sonatype.com/resources/vulnerability-timeline)
113 | 
114 | #### Attack Research / Reports
115 | * [PowerHell: Active Flaws in PowerShell Gallery Expose Users to Attacks](https://blog.aquasec.com/powerhell-active-flaws-in-powershell-gallery-expose-users-to-attacks), August 2023
116 | * [Software Supply Chain Attacks - An Illustrated Typological Review](https://www.research-collection.ethz.ch/bitstream/handle/20.500.11850/584947/2/Cyber-Reports-2023-01-Software-Supply-Chain-Attacks.pdf), January 2023
117 | * [ENISA Threat Landscape for Supply Chain Attacks](https://www.enisa.europa.eu/publications/threat-landscape-for-supply-chain-attacks), July 2021
118 | * [Atlantic Council's BREAKING TRUST: Shades of Crisis Across an Insecure Software Supply Chain](https://atlanticcouncil.org/wp-content/uploads/2020/07/Breaking-trust-Shades-of-crisis-across-an-insecure-software-supply-chain.pdf), July 2020
119 | * [Backstabber’s Knife Collection: A Review of Open Source Software Supply Chain Attacks](https://link.springer.com/chapter/10.1007/978-3-030-52683-2_2), July 2020
120 | * [Risk Explorer for Software Supply Chains](https://sap.github.io/risk-explorer-for-software-supply-chains/), [[Attack Vectors](https://sap.github.io/risk-explorer-for-software-supply-chains/#/attackvectors)], [[Safeguards](https://sap.github.io/risk-explorer-for-software-supply-chains/#/safeguards)], [[Research Paper](https://arxiv.org/abs/2204.04008)], [[GitHub](https://github.com/SAP/risk-explorer-for-software-supply-chains)]
121 | * [ODNI Software Supply Chain Attacks - 2023 Edition](https://www.dni.gov/files/NCSC/documents/supplychain/Software-Supply-Chain-Attacks.pdf)
122 | * [ODNI Software Supply Chain Attacks - 2021 Edition](https://www.dni.gov/files/NCSC/documents/supplychain/Software_Supply_Chain_Attacks.pdf)
123 | * [ODNI Software Supply Chain Attacks - 2017 Edition](https://www.dni.gov/files/NCSC/documents/supplychain/20190327-Software-Supply-Chain-Attacks02.pdf)
124 | 
125 | ## Vulnerability Management
126 | #### Vulnerability Databases
127 | * [CVE (New)](https://www.cve.org/), [CVE (Old)](https://cve.mitre.org/)
128 | * [National Vulnerability Database (NVD)](https://nvd.nist.gov/)
129 | * [VulnDB](https://vulndb.cyberriskanalytics.com/)
130 | * [The Exploit Database](https://www.exploit-db.com/)
131 | * [Open Source Vulnerability Database (OSV)](https://osv.dev/)
132 | * [Global Security Database (GSD)](https://gsd.id/)
133 | * [Sonatype OSS Index](https://ossindex.sonatype.org/)
134 | * [Snyk Vulnerability DB](https://security.snyk.io/vuln)
135 | * [Open Source Insights](https://deps.dev/) - Open Source Insights is a service developed and hosted by Google to help developers better understand the structure, construction, and security of open source software packages.
136 | * [VulnerableCode](https://public.vulnerablecode.io/) - VulnerableCode provides an open database of software packages that are affected by known security vulnerabilities.
137 | 
138 | #### EPSS
139 | * [Exploit Prediction Scoring System (EPSS)](https://www.first.org/epss/)
140 | 
141 | #### VEX
142 | * [Vulnerability Exploitability eXchange (VEX)](https://www.ntia.gov/files/ntia/publications/vex_one-page_summary.pdf)
143 | * [VEX Use Cases](https://www.cisa.gov/sites/default/files/publications/VEX_Use_Cases_April2022.pdf)
144 | * [VEX Status Justification](https://www.cisa.gov/sites/default/files/publications/VEX_Status_Justification_Jun22.pdf)
145 | * [Minimum Requirements for Vulnerability Exploitability eXchange (VEX)](https://www.cisa.gov/resources-tools/resources/minimum-requirements-vulnerability-exploitability-exchange-vex), [[PDF](https://www.cisa.gov/sites/default/files/2023-04/minimum-requirements-for-vex-508c.pdf)]
146 | * [When to Issue VEX Information](https://www.cisa.gov/sites/default/files/2023-11/When-to-Issue-a-VEX-508c.pdf)
147 | * [VDR vs VEX](https://owasp.org/blog/2023/02/07/vdr-vex-comparison)
148 | * [What is the Vulnerability Exploitability eXchange (VEX)?](https://community.cisco.com/t5/security-knowledge-base/what-is-the-vulnerability-exploitability-exchange-vex/ta-p/4819021)
149 | * [OpenVEX Specification](https://github.com/openvex/spec)
150 | * [OASIS CSAF Specification](https://docs.oasis-open.org/csaf/csaf/v2.0/os/csaf-v2.0-os.html#45-profile-5-vex)
151 | 
152 | #### SSVC
153 | * [CISA Stakeholder Specific Vulnerability Categorization (SSVC)](https://www.cisa.gov/stakeholder-specific-vulnerability-categorization-ssvc), [[GitHub](https://github.com/CERTCC/SSVC)]
154 | 
155 | #### KEV
156 | * [CISA Known Exploited Vulnerabilities Catalog (KEV)](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)
157 | 
158 | ## Software Identification
159 | * [Common Platform Enumeration (CPE)](https://csrc.nist.gov/pubs/ir/7697/final)
160 | * [Software Identification (SWID)](https://csrc.nist.gov/projects/Software-Identification-SWID)
161 | * [Package URL (purl)](https://github.com/package-url/purl-spec)
162 | 
163 | ## Bill of Materials (BOM)
164 | * [Software Bill of Materials (SBOM)](https://cyclonedx.org/capabilities/sbom)
165 | * [Software as a Service Bill of Materials (SaaSBOM)](https://cyclonedx.org/capabilities/saasbom)
166 | * [Hardware Bill of Materials (HBOM)](https://cyclonedx.org/capabilities/hbom)
167 | * [Machine Learning Bill of Materials (MLBOM)](https://cyclonedx.org/capabilities/mlbom)
168 | * [Manufacturing Bill of Materials (MBOM)](https://cyclonedx.org/capabilities/mbom)
169 | * [Operations Bill of Materials (OBOM)](https://cyclonedx.org/capabilities/obom)
170 | * [Cryptography Bill of Materials (CBOM)](https://github.com/IBM/CBOM)
171 | 
172 | ### Software Bill of Materials (SBOM)
173 | #### Formats and Specifications
174 | * [CycloneDX](https://cyclonedx.org/)
175 | * [Software Package Data Exchange (SPDX)](https://spdx.dev/)
176 | * [Software Identification (SWID)](https://csrc.nist.gov/projects/Software-Identification-SWID)
177 | 
178 | #### SBOM Lifecycle
179 | * [IETF Draft - Discovering and Retrieving Software Transparency and Vulnerability Information](https://datatracker.ietf.org/doc/draft-ietf-opsawg-sbom-access/)
180 | 
181 | #### SBOM Adoption / Implementation
182 | * [SBOM Hall of Fame](https://github.com/communitysec/sbom-hall-of-fame) - A place for the InfoSec community to share and celebrate real stories of organizations successfully using SBOMs (and other bills of material) to actually manage and reduce security risk in meaningful ways.
183 | * [FOSS SBOM Management @ Mercedes-Benz: This is how we do it!](https://opensource.mercedes-benz.com/news/foss_sbom_management/), November 2023
184 | * [Cisco Demonstrating Transparency through Software Bill of Materials (SBOM)](https://blogs.cisco.com/security/demonstrating-transparency-through-software-bill-of-materials-sbom), August 2023
185 | * [Introducing Software Bill of Materials for Confluent Platform](https://www.confluent.io/blog/software-bill-of-materials/), July 2023
186 | * [GitLab Software Supply Chain Security Direction](https://about.gitlab.com/direction/supply-chain/)
187 | 
188 | ### Tooling
189 | #### SBOM Generation
190 | * [kubernetes bom tool](https://github.com/kubernetes-sigs/bom)
191 | * [Microsoft’s SBOM Tool](https://github.com/microsoft/sbom-tool)
192 | * [spdx-sbom-generator](https://github.com/opensbom-generator/spdx-sbom-generator)
193 | * [syft](https://github.com/anchore/syft)
194 | * [Tern](https://github.com/tern-tools/tern) - A software package inspection tool to generate Software Bill of Materials (SBOM) for containers.
195 | * [Trivy](https://github.com/aquasecurity/trivy)
196 | 
197 | #### SBOM Scanning & Analysis
198 | * [OWASP Dependency-Track](https://dependencytrack.org/)
199 | * [Graph for Understanding Artifact Composition (GUAC)](https://guac.sh/), [[GitHub](https://github.com/guacsec/guac)], [[Google Article](https://security.googleblog.com/2022/10/announcing-guac-great-pairing-with-slsa.html)], [[YouTube](https://www.youtube.com/watch?v=U7jRTZUDHYM)]
200 | * [Grype](https://github.com/anchore/grype) - A vulnerability scanner for container images and filesystems. Grype Works with Syft, the SBOM generation tool for container images and filesystems.
201 | * [NTIA Conformance Checker](https://github.com/spdx/ntia-conformance-checker)
202 | * [protobom](https://github.com/bom-squad/protobom) - Protobom offers a format-neutral representation of SBOM package and file data and the ability to translate this data between popular SBOM formats.
203 | * [bomshell](https://github.com/chainguard-dev/bomshell) - Bomshell is an SBOM programming interface and workbench that lets users query and remix data from SBOMs to extract and model software to generate new SBOMs that are structured and contain the data that SBOM ingestion tools expect.
204 | * [bobber](https://github.com/devops-kung-fu/bomber) - bomber scans the closed source SBOMs that are provided when you receive them from vendors. It can scan open source SBOMs too, and technically you could use bomber as an open source SCA tool if you wanted to.
205 | 
206 | #### SBOM Governance
207 | * [Aqua Chain-bench](https://github.com/aquasecurity/chain-bench/tree/main)
208 | * [SBOM Benchmark](https://sbombenchmark.dev/)
209 | * [sbomqs: Quality metrics for SBOMs](https://github.com/interlynk-io/sbomqs)
210 | 
211 | ## Software Supply Chain Security in the Cloud
212 | #### AWS
213 | * [Exporting SBOMs with Amazon Inspector](https://docs.aws.amazon.com/inspector/latest/user/sbom-export.html)
214 | * [Using SBOM to find vulnerable container images running on Amazon EKS clusters](https://aws.amazon.com/blogs/containers/using-sbom-to-find-vulnerable-container-images-running-on-amazon-eks-clusters/)
215 | * [Best Practices to help secure your container image build pipeline by using AWS Signer](https://aws.amazon.com/blogs/security/best-practices-to-help-secure-your-container-image-build-pipeline-by-using-aws-signer/)
216 | 
217 | #### Azure
218 | * [SBOM - Engineering@Microsoft](https://devblogs.microsoft.com/engineering-at-microsoft/tag/sbom/)
219 | 
220 | #### GCP
221 | * [Google's Software Supply Chain Security documentation](https://cloud.google.com/software-supply-chain-security/docs)
222 | 
223 | ## Books
224 | * [Securing the Software Supply Chain - Protect your application development lifecycle](https://www.manning.com/books/securing-the-software-supply-chain) by [Michael Lieberman](https://www.linkedin.com/in/michael-lieberman-65786ba/) and [Brandon Lum](https://www.linkedin.com/in/brandon-lum-a7b79418/), Release date: Expected Spring 2024
225 | * [Software Supply Chain Security: Securing the End-to-End Supply Chain for Software, Firmware, and Hardware](https://www.amazon.com/Software-Supply-Chain-Security-End/dp/1098133706/) by [Cassie Crossley](https://www.linkedin.com/in/cassiecrossley/), Release date: Expected January 2024
226 | * [Software Transparency - Supply Chain Security in an Era of Software-Driven Society](https://www.amazon.com/Software-Transparency-Security-Software-Driven-Society/dp/1394158483) by [Chris Huges](https://www.linkedin.com/in/resilientcyber/) and [Tony Turner](https://www.linkedin.com/in/tonyturnercissp/), Release date: June 2023
227 | 
228 | ## Industry Reports
229 | * [Sonatype 9th Annual State of the Software Supply Chain](https://www.sonatype.com/state-of-the-software-supply-chain/introduction), Sonatype, 2023
230 | * [Snyk State of Open Source Security 2023 Report](https://snyk.io/reports/open-source-security/), Snyk, 2023
231 | * [Synopsis Open Source Security and Risk Analysis Report](https://www.synopsys.com/software-integrity/resources/analyst-reports/open-source-security-risk-analysis.html), Synopsis, 2023
232 | * [The State of Dependency Management](https://www.endorlabs.com/state-of-dependency-management), Endor Labs, 2023
233 | * [The State of Software Supply Chain Security 2023](https://www.reversinglabs.com/reports/state-of-supply-chain-security-22), ReversingLabs, 2023
234 | * [Sonatype 8th Annual State of the Software Supply Chain report](https://www.sonatype.com/state-of-the-software-supply-chain/introduction), Sonatype, 2022
235 | * [OpenSSF Annual Report](https://openssf.org/wp-content/uploads/sites/132/2022/12/OpenSSF-Annual-Report-2022.pdf), OpenSSF, 2022
236 | * [Software Bill of Materials (SBOM) and Cybersecurity Readiness](https://8112310.fs1.hubspotusercontent-na1.net/hubfs/8112310/LF%20Research/State%20of%20Software%20Bill%20of%20Materials%20-%20Report.pdf), The Linux Foundation, January 2022
237 | * [The State of Enterprise Open Source](https://www.redhat.com/en/enterprise-open-source-report/2022), RedHat, 2022
238 | * [The State of Open Source Security Vulnerabilities](https://www.mend.io/wp-content/media/2021/03/The-state-of-open-source-vulnerabilities-2021-annual-report.pdf), Mend, 2021
239 | * [GSMA Open Source Software Security Research Summary](https://www.gsma.com/security/wp-content/uploads/2020/12/Open-Source-Software-Security-Research-Summary-v1.1.pdf), GSMA, December 2020
240 | * [Snyk State of Open Source Security Report](https://go.snyk.io/rs/677-THP-415/images/State%20Of%20Open%20Source%20Security%20Report%202020.pdf), Snyk, 2020
241 | * [State of Software Security - Open Source Edition](https://www.veracode.com/sites/default/files/pdf/resources/reports/state-of-software-security-open-source-edition-veracode-report.pdf), Veracode, 2020
242 | * [State of the Software Supply Chain - The 6th Annual Report on Global Open Source Software Development](https://www.sonatype.com/hubfs/Corporate/Software%20Supply%20Chain/2020/SON_SSSC-Report-2020_final_aug11.pdf), Sonatype, 2020
243 | 
244 | ## Guides / Documentation
245 | * [Authoritative Guide to SBOM](https://cyclonedx.org/guides/sbom/OWASP_CycloneDX-SBOM-Guide-en.pdf), OWASP CycloneDX, June 2023
246 | * [Open Source Supply Chain Security course](https://osssc-edu.github.io/supply-chain.github.io/), Course material collected, curated, maintained and structured by PhD students and faculty from the [KTH Royal Institute of Technology](https://www.kth.se/en) in Stockholm, Sweden
247 | * [GitHub documentation on Software Supply Chain Security](https://docs.github.com/en/code-security/supply-chain-security)
248 | * [Sonatype Software Bill of Materials (SBOM) Quick Start Guide](https://help.sonatype.com/iqserver/quickstart-guides/software-bill-of-materials-%28sbom%29-quick-start)
249 | * [SLSA mapping to other Frameworks](https://docs.google.com/spreadsheets/d/1P_xxMlyF5iPV51CqIk8_EhI57aR6wf1Gkrg8sRHBMMQ)
250 | * [Venafi - The software supply chain toolkit](https://venafi.com/jetstack-consult/software-supply-chain/) - An interactive guide on how to secure your third-party software
251 | 
252 | ## Articles / White Papers
253 | #### Supply Chain Attacks
254 | 
255 | #### Supply Chain Security
256 | * [Fostering Open Source Software Security - Blueprint for a Government Cybersecurity Open Source Program Office](https://www.stiftung-nv.de/sites/default/files/snv_fostering_open_source_software_security.pdf), Stiftung Neue Verantwortung (SNV), May 2023* [Tragedy of the Digital Commons](https://ssrn.com/abstract=4245266), Sharma, Chinmayi, Written: August 2022, Last Revised: May 2023
257 | * [“Always Contribute Back”: A Qualitative Study on Security Challenges of the Open Source Supply Chain](https://saschafahl.de/static/paper/ossc2023.pdf), April 2023
258 | * [MITRE Whitepaper - Deliver Uncompromised: Securing Critical Software Supply Chains](https://www.mitre.org/sites/default/files/2021-11/prs-21-0278-deliver-uncompromised-securing-critical-software-supply-chain.pdf), September 2021
259 | * [On Systematics of the Information Security of Software Supply Chains](https://link.springer.com/chapter/10.1007/978-3-030-63322-6_9), December 2020
260 | * [For Good Measure-Counting Broken Links: A Quant’s View of Software Supply Chain Security](https://www.usenix.org/system/files/login/articles/login_winter20_17_geer.pdf), December 2020
261 | * [BREAKING TRUST: Shades of Crisis Across an Insecure Software Supply Chain](https://www.atlanticcouncil.org/wp-content/uploads/2020/07/Breaking-trust-Shades-of-crisis-across-an-insecure-software-supply-chain.pdf), July 2020
262 | * [Surviving Software Dependencies - Software reuse is finally here but comes with risks.](https://queue.acm.org/detail.cfm?id=3344149), July 2019
263 | * [Supply Chain Integrity: An overview of the ICT supply chain risks and challenges, and vision for the way forward](https://www.enisa.europa.eu/publications/sci-2015), CISA, September 2015
264 | 
265 | #### SBOM
266 | * [Principles and Practices for Software Bill of Materials for Medical Device Cybersecurity](https://www.imdrf.org/sites/default/files/2023-04/Principles%20and%20Practices%20for%20Software%20Bill%20of%20Materials%20for%20Medical%20Device%20Cybersecurity%20%28N73%29.pdf),  Medical Device Cybersecurity Working Group, International Medical Device Regulators Forum, April 2023
267 | * [An Empirical Study on Software Bill of Materials: Where We Stand and the Road Ahead](https://arxiv.org/pdf/2301.05362.pdf), February 2023
268 | * [Using the Software Bill of Materials for Enhancing Cybersecurity](https://english.ncsc.nl/binaries/ncsc-en/documenten/publications/2021/february/4/using-the-software-bill-of-materials-for-enhancing-cybersecurity/Final+Report+SBoM+for+Cybersecurity+v1.0.pdf), Capgemini, January 2021
269 | 
270 | ## GitHub Repos
271 | * [bureado / awesome-software-supply-chain-security](https://github.com/bureado/awesome-software-supply-chain-security)
272 | * [meta-fun / awesome-software-supply-chain-security](https://github.com/meta-fun/awesome-software-supply-chain-security)
273 | * [awesomeSBOM / awesome-sbom](https://github.com/awesomeSBOM/awesome-sbom)
274 | * [AevaOnline / supply-chain-synthesis](https://github.com/AevaOnline/supply-chain-synthesis/)
275 | * [IQTLabs / software-supply-chain-compromises](https://github.com/IQTLabs/software-supply-chain-compromises)
276 | * [chainguard-dev / ssc-reading-list](https://github.com/chainguard-dev/ssc-reading-list)
277 | * [chughes757 / SecureSoftwareSupplyChain](https://github.com/chughes757/SecureSoftwareSupplyChain)
278 | 
279 | ## Other Repos
280 | * [CloudSecDocs / Supply Chain Security](https://cloudsecdocs.com/devops/pipelines/supply_chain/supply_chain_security/)
281 | 
282 | ## GitHub Projects
283 | * [Malicious Dependencies](https://github.com/jeremylong/malicious-dependencies)
284 | * [neo4cyclone](https://github.com/javixeneize/neo4cyclone) - Neo4Cyclone is a project that ingests CycloneDX SBOMs in a Neo4J database for visualisation purposes.
285 | * [Common Threat Matrix for CI/CD Pipeline](https://github.com/rung/threat-matrix-cicd) - This is an ATT&CK-like matrix focused on CI/CD Pipeline risks.
286 | 
287 | ## Events / Conferences
288 | None
289 | 
290 | ## Trainings
291 | * [cicd-goat](https://github.com/cider-security-research/cicd-goat) - Deliberately vulnerable CI/CD environment. Hack CI/CD pipelines, capture the flags.
292 | 
293 | ## Webinars
294 | * [Endor Labs webinars](https://www.endorlabs.com/resources-overview)
295 | 
296 | ## Podcasts
297 | * [daBOM](https://dabom.captivate.fm/)
298 | * [Tromzo Podcasts](https://tromzo.com/podcasts)
299 | * [ConversingLabs](https://www.reversinglabs.com/conversinglabs)
300 | * [Open Source Security Podcast](https://opensourcesecurity.io/category/podcast/)
301 | * [Code Patrol by Contrast Security - CycloneDX 1.5: The missing link in SBOMs and software transparency?](https://www.contrastsecurity.com/codepatrolpodcast/cyclonedx-15-the-missing-link-in-sboms-and-software-transparency), August 2023
302 | * [Proof of Concept: Managing Software Supply Chain Woes](https://www.bankinfosecurity.com/proof-concept-managing-software-supply-chain-woes-a-22787), August 2023
303 | * [Tromzo Podcast EP 41 — SAP’s Helen Oakley on Protecting Human Well-Being by Securing Software Supply Chains](https://tromzo.com/podcasts/protecting-human-well-being-by-securing-software-supply-chains), July 2023
304 | * [Tromzo Podcast EP 40 — Steve Springett on Solving Software Supply Chain Security and SBOM Challenges](https://tromzo.com/podcasts/solving-software-supply-chain-security-and-sbom-challenges), July 2023
305 | * [Tromzo Podcast EP 25 — Navigating the Complex World of Software Supply Chain Security with Schneider Electric’s Cassie Crossley](https://tromzo.com/podcasts/navigating-the-complex-world-of-software-supply-chain-security), March 2023
306 | 
307 | ## Newsletters
308 | * [tl;dr sec](https://tldrsec.com/)
309 | * [CramHacks](https://www.cramhacks.com/)
310 | 
311 | ## Blogs
312 | #### Industry / Community
313 | * [OpenSSF](https://openssf.org/blog/)
314 | * [SLSA](https://slsa.dev/blog)
315 | * [Open Source Security](https://opensourcesecurity.io/category/securityblog/)
316 | 
317 | #### Experts
318 | * [Resilient Cyber](https://resilientcyber.substack.com/) by Chris Huges
319 | * [Tom Alrich's blog](http://tomalrichblog.blogspot.com/) by Tom Alrich
320 | 
321 | #### Vendors
322 | * [Chainguard](https://www.chainguard.dev/unchained)
323 | * [Endor Labs](https://www.endorlabs.com/resources-overview)
324 | * [Kusari](https://www.kusari.dev/resources)
325 | * [snyk](https://snyk.io/blog/?tag=open-source-security)
326 | * [Sonatype](https://dev.sonatype.com/)
327 | * [TestifySec](https://www.testifysec.com/blog/)
328 | 
329 | ## From the Web
330 | #### Readings
331 | * [An Overview of Software Supply Chain Security](https://tldrsec.com/p/supply-chain-security-overview)
332 | * [Software Supply Chain Vendor Landscape](https://tldrsec.com/p/software-supply-chain-vendor-landscape)
333 | * [The SEI SBOM Framework: Informing Third-Party Software Management in Your Supply Chain](https://insights.sei.cmu.edu/blog/the-sei-sbom-framework-informing-third-party-software-management-in-your-supply-chain/)
334 | * [Securing the Software Supply Chain, VMWare blog](https://octo.vmware.com/part-0-securing-the-software-supply-chain/)
335 | * [The Rising Threat of Software Supply Chain Attacks: Managing Dependencies of Open Source projects](https://linuxfoundation.eu/newsroom/the-rising-threat-of-software-supply-chain-attacks-managing-dependencies-of-open-source-projects)
336 | * [The history of cybersecurity](https://blog.avast.com/history-of-cybersecurity-avast)
337 | * [Lessons Not Learned From Software Supply Chain Attacks](https://www.darkreading.com/attacks-breaches/lessons-not-learned-from-software-supply-chain-attacks)
338 | * [SBOM 101 - Answering the questions I was afraid to ask](https://sysdig.com/blog/sbom-101-software-bill-of-materials/)
339 | * [“SBOM” should not exist! Long live the SBOM.](https://medium.com/@steve_springett/sbom-should-not-exist-long-live-the-sbom-4554d5c31ff9)
340 | * [SLSA dip — At the Source of the problem!](https://medium.com/boostsecurity/slsa-dip-source-of-the-problem-a1dac46a976)
341 | * [Are SBOMs any good? Preliminary measurement of the quality of open source project SBOMs](https://www.chainguard.dev/unchained/are-sboms-any-good-preliminary-measurement-of-the-quality-of-open-source-project-sboms)
342 | * [I am not a supplier](https://www.softwaremaxims.com/blog/not-a-supplier)
343 | * [Making the Cyber Resilience Act work for open source software developers](https://github.blog/wp-content/uploads/2023/03/GitHub_Position_Paper-Cyber_Resilience_Act.pdf)
344 | * [Software supply chain attacks – everything you need to know](https://portswigger.net/daily-swig/software-supply-chain-attacks-everything-you-need-to-know)
345 | * [What is an SBOM, and why should you Care??](https://boxboat.com/2021/05/12/what-is-sbom-and-why-should-you-care/)
346 | * [Software Bill Of Materials (SBOM) Formats, Use Cases, and Specifications](https://fossa.com/blog/software-bill-of-materials-formats-use-cases-tools/)
347 | * [Are you ready with your SBOM ? Think again !](https://nadgowdas.github.io/blog/2021/trust-sbom/)
348 | * [What an SBOM can do for you](https://www.chainguard.dev/unchained/what-an-sbom-can-do-for-you)
349 | * [Comparing SBOM Standards: SPDX vs. CycloneDX](https://blog.sonatype.com/comparing-sbom-standards-spdx-vs.-cyclonedx-vs.-swid)
350 | * [GitHub blog post on Introducing npm package provenance](https://github.blog/2023-04-19-introducing-npm-package-provenance/)
351 | * [pypi-scan: A Tool for Scanning the Python Package Index for Typosquatters](https://www.iqt.org/pypi-scan/)
352 | * [Vulnerability Exploitability eXchange explained: How VEX makes SBOMs actionable](https://www.csoonline.com/article/573377/vulnerability-exploitability-exchange-explained-how-vex-makes-sboms-actionable.html)
353 | * [How a Vulnerability Exploitability eXchange can help healthcare prioritize cybersecurity risk](https://cloud.google.com/blog/products/identity-security/how-vex-helps-sbomslsa-improve-supply-chain-visibility)
354 | * [What is VEX and What Does it Have to Do with SBOMs?](https://blog.adolus.com/what-is-vex-and-what-does-it-have-to-do-with-sboms)
355 | * [VDR or VEX – Which Do I Use?](https://www.linkedin.com/pulse/vdr-vex-which-do-i-use-tony-turner/)
356 | * [How to Generate and Host an SBOM](https://cloudsmith.com/blog/how-to-generate-and-host-an-sbom/)
357 | * [How to Analyze an SBOM](https://cloudsmith.com/blog/how-to-analyze-an-sbom/)
358 | * [After the Advisory](https://blog.deps.dev/after-the-advisory/)
359 | * [The Challenges of Securing the Open Source Supply Chain](https://thenewstack.io/the-challenges-of-securing-the-open-source-supply-chain/)
360 | * [A Toolbox for a Secure Software Supply Chain](https://www.chainguard.dev/unchained/a-toolbox-for-a-secure-software-supply-chain)
361 | * [Why Do SBOM Haters Hate? Or Why Trade Associations Say the Darndest Things](https://dfrlab.org/2023/07/19/why-do-sbom-haters-hate/)
362 | * [Unleashing in-toto: The API of DevSecOps](https://www.cncf.io/blog/2023/08/17/unleashing-in-toto-the-api-of-devsecops/)
363 | * [All about OSC&R, a Software Supply Chain Security Framework](https://thenewstack.io/all-about-oscr-a-software-supply-chain-security-framework/)
364 | * [Defense Against Novel Threats: Redesigning CI at Mercari](https://engineering.mercari.com/en/blog/entry/20220203-defense-against-novel-threats-redesigning-ci-at-mercari/)
365 | * [OpenPubkey and Sigstore](https://blog.sigstore.dev/openpubkey-and-sigstore/)
366 | * [Open-Source Security: How Digital Infrastructure Is Built on a House of Cards](https://www.lawfaremedia.org/article/open-source-security-how-digital-infrastructure-built-house-cards) by Chinmayi Sharma
367 | * [How one programmer broke the internet by deleting a tiny piece of code](https://qz.com/646467/how-one-programmer-broke-the-internet-by-deleting-a-tiny-piece-of-code)
368 | 
369 | #### Presentations
370 | * [Building Trust Brick by Brick: Exploring the Landscape of Modern Secure Supply Chain Tools](https://speakerdeck.com/dasiths/building-trust-brick-by-brick-exploring-the-landscape-of-modern-secure-supply-chain-tools), October 2023
371 | * [Reflections on Trust in the Software Supply Chain](https://i.blackhat.com/BH-US-23/Presentations/US-23-Long-Reflections-On-Trust.pdf) by [Jeremy Long](https://www.blackhat.com/us-23/briefings/schedule/speakers.html#jeremy-long-31926), BlackHat, August 2023
372 | * [Flaming Hot SLSA!](https://speakerdeck.com/abhaybhargav/flaming-hot-slsa) by [Abhay Bhargav](https://www.linkedin.com/in/abhaybhargav/), 2022
373 | * [Attacking and Securing CI/CD Pipeline](https://speakerdeck.com/rung/cd-pipeline), 2021
374 | * [MITRE Software Bill of Materials (SBOM) Presentation](https://csrc.nist.gov/CSRC/media/Projects/cyber-supply-chain-risk-management/documents/SSCA/Spring_2019/8MayAM2.3_Software_Bill_of_Materials_Robert_Martin_05_08_19_clean.pdf), 2019
375 | 
376 | #### Videos
377 | * [Top 10 Open Source Software (OSS) Risks](https://www.youtube.com/watch?v=oM7qp4Zneus), November 2023
378 | * [SBOM & CycloneDX with Steve Springett](https://www.youtube.com/watch?v=WDl1w9HXJUA), August 2023
379 | * [Software Identity And The Naming Of Things](https://www.youtube.com/watch?v=wzo81uccSfU), 2023
380 | * [Why you need an XBOM – the eXtended Software Bill of Materials](https://www.youtube.com/watch?v=KPa-v5KndIY)
381 | * [Securing Shopify's Software Supply Chain by Shane Lawrence, Shopify](https://www.youtube.com/watch?v=yuDMsB0jsdE), 2022
382 | * [How to start learning about Supply Chain Security | Cloud Native Podcast, Episode 48](https://www.youtube.com/watch?v=vFLmm8NnHFg)
383 | * [Using CSAF to Respond to Supply Chain Vulnerabilities at Large Scale](https://www.youtube.com/watch?v=z6Psfopy55E)
384 | * [The Three Disciplines of CI/CD Security // DANIEL KRIVELEVICH](https://www.youtube.com/watch?v=9wREQrOqvkY)
385 | * [Securing the Digital Commons: Open-Source Software Cybersecurity](https://www.congress.gov/event/117th-congress/house-event/114727)
386 | 
387 | ## Software Supply Chain Security & Artificial Intelligence (AI)
388 | None
389 | 
390 | ## Vendors
391 | * [Anchore](https://anchore.com/)
392 | * [Binarly](https://www.binarly.io/)
393 | * [Chainguard](https://www.chainguard.dev/)
394 | * [Codenotary](https://codenotary.com/)
395 | * [Cybeats](https://www.cybeats.com/)
396 | * [EdgeBit](https://edgebit.io/)
397 | * [Endor Labs](https://www.endorlabs.com/)
398 | * [FOSSA](https://fossa.com/)
399 | * [Kusari](https://www.kusari.dev/)
400 | * [Lineaje](https://www.lineaje.dev/)
401 | * [Myrror](https://www.myrror.security/)
402 | * [NetRise](https://www.netrise.io/)
403 | * [Ox Security](https://www.ox.security/)
404 | * [Rezilion](https://www.rezilion.com/)
405 | * [Semgrep](https://semgrep.dev/)
406 | * [TestifySec](https://www.testifysec.com/)
407 | * [Venafi](https://venafi.com/)
408 | * [Xygeni](https://xygeni.io/)
409 | 
410 | ## Miscellaneous / Unsorted
411 | * [SRE Books from Google](https://sre.google/books/)
412 | 
413 | 


--------------------------------------------------------------------------------