Reading list
Document status: ⚠️ DRAFT
[!CAUTION] This is The CPAN Security Group recommended reading list. If you have any additions or improvements, please open an issue, citing this page.
- Contribute on Github: https://github.com/CPAN-Security/security.metacpan.org/blob/readinglist/docs/readinglist.md
- Discuss on IRC: ircs://ssl.irc.perl.org:7062/#cpan-security
Software Bills of Materials (SBOM)
- (NTIA) The Minimum Elements For a Software Bill of Materials (SBOM) (July 2021)
- (NSA, ODNI, CISA) Securing the Software Supply Chain: Recommended Practices for Managing OSS and SBOMs (December 2023)
- (NTIA) Survey of Existing SBOM Formats and Standards (2021)
SBOM use cases
- (CDX) CycloneDX Use Cases
- (SPDX) A Practical Guide to SPDX
- (SPDX) How To Use SPDX 2.3 in Different Scenarios
Useful articles and papers
- (NTIA) Software Suppliers Playbook: SBOM Production and Provision (November 2021)
- Managing Open Source and SBOMs (Chris Huges, 2023)
- Understanding OWASP’s Bill of Material Maturity Model: Not all SBOMs are created equal (Chris Huges, 2023)
- (NTIA) Framing Software Component Transparency: Establishing a Common Software Bill of Materials (SBOM) (October 2021)
- (Lawfare Media) Open-Source Security: How Digital Infrastructure Is Built on a House of Cards (July 2022)
- (EU) The CRA Fact Sheet
- (CISA) SBOM Sharing Roles and Considerations (March 2024)
- (SPDX) Using SPDX to comply with Norms, Standards and Regulation (SPDX 2.3)
- (SPDX) Satisfying NTIA Minimum Elements for an SBOM using SPDX (SPDX 3.0)
See also the Regulations, directives and laws section below.
Software identification (naming & versioning)
- PURL Specification
- (CPAN) URI::PackageURL
- (CPAN) CPAN::DistnameInfo
Useful articles, papers and resources
- (CISA) Software Identification Ecosystem Option Analysis (October 2023)
- (Repology) Repology ruleset repo
Provenance & Supply Chain Security
- (OpenSSF) Principles for Package Repository Security (Feb 2024)
- (OpenSSF) Build Provenance for All Package Registries (July 2023)
- (SLSA) SLSA v1.0 Guiding Principles
- (SLSA) SLSA v1.0 Terminology
- (SLSA) SLSA v1.0 Developer’s quick-start guide
- (SLSA) SLSA v1.0 Infrastructure provider’s quick-start guide
Transparency Logs
- (OpenSSF) Sigstore home
- (OpenSSF) Sigstore: Simplifying Code Signing for Open Source Ecosystems
- (Chainguard.dev) Life of a Sigstore signature
Regulations, directives and laws
There are several relevant legislation regarding cybersecurity in Open Source ecosystems and supply chains.
USA – EO 14028
- (USA) Executive Order on Improving the Nation’s Cybersecurity (EO 14028, 2021-05-12)
- Section 4: Enhancing Software Supply Chain Security
EU and EEA – NIS2
Directive 2022/2555, Network and Information Security Directive 2 (NIS2)
- Legislative Train Schedule
- In the NIS2 Recitals
- Recital (58): On the handling of discovered vulnerabilities (page 12)
- Recital (62): Access to correct and timely information about vulnerabilities (page 13)
- Recital (85): On supply-chain risk management (page 17)
- Recital (89): Adoption of basic cyber hygiene practices (page 17)
- Recitals (90-91): On coordinated security risk assessments of supply chains (page 18)
- In Chapter I
- Article 6: Definitions
- In Chapter II
- Article 7, point 2(a): Creation of a national cybersecurity strategy regarding the security of supply chains for ICT products and services
- In Chapter IV
- Articles 21, points 1, 2 and 3: All-hazards approach to cybersecurity risk-management measures (page 48)
EU and EEA – CRA
(EU) Cyber Resilience Act (CRA, updated 2024-03-12)
- In the CRA Recitals
- Recital (10): CRA relevance for supply chains (page 11)
- Recitals (16-17): CRA relevance for Open Source projects (page 18-19)
- Recital (18): Open Source Software Contributors (page 20)
- Recital (19): Open Source Software Stewards, light-touch regulatory regime, and CE mark implications (page 22)
- Recital (20): Open Source package managers considerations as “distributors” (page 24)
- Recital (21): Voluntary security attestation programs for Open Source projects (page 25)
- Recital (22): Submission of SBOMs for Open Source projects (page 26)
- Recital (24): CRA relevance for the NIS2 directive (page 29)
- Recital (31): Manufacturer’s liability due to lack of security updates (page 36)
- Recital (34): Due diligence when integrating third-party components (page 39)
- Recital (37): Software for testing purposes, alphas, betas (page 42)
- Recital (39): Continued security updates (page 44)
- Recital (41): Substantial modifications requires a new conformity assessment to be done (page 47)
- Recital (43-45): Important products with digital elements (page 49-51)
- Recitals (60-62): Support period (page 69-71)
- Recital (64): Point of contact (page 73)
- Recital (65): Secure by default (page 73)
- In the CRA Chapters
- Chapter I, Article 3: Definitions (pages 136-146)
- Chapter I, Article 9, Point 1. (b-c): Stakeholder consultation (pages 155-156)
- Chapter II — Obligations of Economic Operators and Provisions in relation to Free and Open-Source Software
- Article 13, Obligations of Manufacturers (pages 161-175)
- Article 14, Reporting obligations of manufacturers (pages 176-184)
- Article 15, Voluntary reporting (pages 185-186)
- Article 16, Establishment of a single reporting platform (pages 187-192)
- Article 17, Other provisions related to reporting (pages 193-195)
- Article 18, Authorized representatives (pages 195-196)
- Article 19, Obligations of importers (pages 197-201)
- Article 20, Obligations of distributors (pages 202-205)
- Article 21, Cases in which obligations of manufacturers apply to importers and distributors (page 205)
- Article 22, Other cases in which obligations of manufacturers apply (page 206)
- Article 23, Identification of economic operators (page 207)
- Chapter II – Obligations of open-source software stewards
- Article 24, Obligations of open-source software stewards (pages 208-209)
- Article 25, Security attestation of free and open-source software (page 210)
- Article 26, Guidance (pages 211-212)
- Chapter III — Conformity of the product with digital elements
- Article 28, EU declaration of conformity (pages 218-219)
- Article 29, General principles of the CE marking (page 219)
- Article 30, Rules and conditions for affixing the CE marking (pages 220-222)
- Chapter V — Market Surveillance and Enforcement
- Article 58, Formal non-compliance (pages 276)
- In CRA Annex I
- Essential Cybersecurity Requirements (pages 297-302)
- Part I — Cybersecurity requirements relating to the properties of products with digital elements (pages 297-300)
- Part II — Vulnerability handling requirements (pages 300-302)
- Essential Cybersecurity Requirements (pages 297-302)
- In CRA Annex II
- Information and Instructions to the User (pages 303-305)
- In CRA, Annex VII, Dated 2024-03-12
- Requirements to Technical Documentation content (pages 314-316)
- Legislative Train Schedule
EU and EEA – PLD
(EU) Product Liability Directive (PLD)
EU and EEA – DORA
(EU) Digital Operational Resilience Act: Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (DORA, 2022-12-14)
Other articles and guides
- (Checkmarx) Preparing for Europe’s Most Extensive Cybersecurity Directive, NIS2 – What AppSec teams need to know
- (CPAN) It takes a community to raise a CPAN module – describing the different personas or roles involved in the life-cycle of a CPAN distribution.
License and use of this document
- Version: 0.5.0
- License: CC-BY-SA-4.0
- Copyright: © Salve J. Nilsen sjn@cpan.org, Some rights reserved.
You may use, modify and share this file under the terms of the CC-BY-SA-4.0 license.
Acknowledgements
People have been involved in the development of this document
- Salve J. Nilsen (main author)