Reading list

Document status: ⚠️ DRAFT

[!CAUTION] This is The CPAN Security Group recommended reading list. If you have any additions or improvements, please open an issue, citing this page.

• Contribute on Github: https://github.com/CPAN-Security/security.metacpan.org/blob/readinglist/docs/readinglist.md
• Discuss on IRC: ircs://ssl.irc.perl.org:7062/#cpan-security

Software Bills of Materials (SBOM)

• (NTIA) The Minimum Elements For a Software Bill of Materials (SBOM) (July 2021)
• (NSA, ODNI, CISA) Securing the Software Supply Chain: Recommended Practices for Managing OSS and SBOMs (December 2023)
• (NTIA) Survey of Existing SBOM Formats and Standards (2021)

SBOM use cases

• (CDX) CycloneDX Use Cases
• (SPDX) A Practical Guide to SPDX
• (SPDX) How To Use SPDX 2.3 in Different Scenarios

Useful articles and papers

• (NTIA) Software Suppliers Playbook: SBOM Production and Provision (November 2021)
• Managing Open Source and SBOMs (Chris Huges, 2023)
• Understanding OWASP’s Bill of Material Maturity Model: Not all SBOMs are created equal (Chris Huges, 2023)
• (NTIA) Framing Software Component Transparency: Establishing a Common Software Bill of Materials (SBOM) (October 2021)
• (Lawfare Media) Open-Source Security: How Digital Infrastructure Is Built on a House of Cards (July 2022)
• (EU) The CRA Fact Sheet
• (CISA) SBOM Sharing Roles and Considerations (March 2024)
• (SPDX) Using SPDX to comply with Norms, Standards and Regulation (SPDX 2.3)
• (SPDX) Satisfying NTIA Minimum Elements for an SBOM using SPDX (SPDX 3.0)

See also the Regulations, directives and laws section below.

Software identification (naming & versioning)

• PURL Specification
• (CPAN) URI::PackageURL
• (CPAN) CPAN::DistnameInfo

Useful articles, papers and resources

• (CISA) Software Identification Ecosystem Option Analysis (October 2023)
• (Repology) Repology ruleset repo

Provenance & Supply Chain Security

• (OpenSSF) Principles for Package Repository Security (Feb 2024)
• (OpenSSF) Build Provenance for All Package Registries (July 2023)
• (SLSA) SLSA v1.0 Guiding Principles
• (SLSA) SLSA v1.0 Terminology
• (SLSA) SLSA v1.0 Developer’s quick-start guide
• (SLSA) SLSA v1.0 Infrastructure provider’s quick-start guide

Transparency Logs

• (OpenSSF) Sigstore home
• (OpenSSF) Sigstore: Simplifying Code Signing for Open Source Ecosystems
• (Chainguard.dev) Life of a Sigstore signature

Regulations, directives and laws

There are several relevant legislation regarding cybersecurity in Open Source ecosystems and supply chains.

USA – EO 14028

• (USA) Executive Order on Improving the Nation’s Cybersecurity (EO 14028, 2021-05-12)
  • Section 4: Enhancing Software Supply Chain Security

EU and EEA – NIS2

Directive 2022/2555, Network and Information Security Directive 2 (NIS2)

• Legislative Train Schedule
• In the NIS2 Recitals
  • Recital (58): On the handling of discovered vulnerabilities (page 12)
  • Recital (62): Access to correct and timely information about vulnerabilities (page 13)
  • Recital (85): On supply-chain risk management (page 17)
  • Recital (89): Adoption of basic cyber hygiene practices (page 17)
  • Recitals (90-91): On coordinated security risk assessments of supply chains (page 18)
• In Chapter I
  • Article 6: Definitions
• In Chapter II
  • Article 7, point 2(a): Creation of a national cybersecurity strategy regarding the security of supply chains for ICT products and services
• In Chapter IV
  • Articles 21, points 1, 2 and 3: All-hazards approach to cybersecurity risk-management measures (page 48)

EU and EEA – CRA

(EU) Cyber Resilience Act (CRA, updated 2024-03-12)

• In the CRA Recitals
  • Recital (10): CRA relevance for supply chains (page 11)
  • Recitals (16-17): CRA relevance for Open Source projects (page 18-19)
  • Recital (18): Open Source Software Contributors (page 20)
  • Recital (19): Open Source Software Stewards, light-touch regulatory regime, and CE mark implications (page 22)
  • Recital (20): Open Source package managers considerations as “distributors” (page 24)
  • Recital (21): Voluntary security attestation programs for Open Source projects (page 25)
  • Recital (22): Submission of SBOMs for Open Source projects (page 26)
  • Recital (24): CRA relevance for the NIS2 directive (page 29)
  • Recital (31): Manufacturer’s liability due to lack of security updates (page 36)
  • Recital (34): Due diligence when integrating third-party components (page 39)
  • Recital (37): Software for testing purposes, alphas, betas (page 42)
  • Recital (39): Continued security updates (page 44)
  • Recital (41): Substantial modifications requires a new conformity assessment to be done (page 47)
  • Recital (43-45): Important products with digital elements (page 49-51)
  • Recitals (60-62): Support period (page 69-71)
  • Recital (64): Point of contact (page 73)
  • Recital (65): Secure by default (page 73)
• In the CRA Chapters
  • Chapter I, Article 3: Definitions (pages 136-146)
  • Chapter I, Article 9, Point 1. (b-c): Stakeholder consultation (pages 155-156)
  • Chapter II — Obligations of Economic Operators and Provisions in relation to Free and Open-Source Software
    • Article 13, Obligations of Manufacturers (pages 161-175)
    • Article 14, Reporting obligations of manufacturers (pages 176-184)
    • Article 15, Voluntary reporting (pages 185-186)
    • Article 16, Establishment of a single reporting platform (pages 187-192)
    • Article 17, Other provisions related to reporting (pages 193-195)
    • Article 18, Authorized representatives (pages 195-196)
    • Article 19, Obligations of importers (pages 197-201)
    • Article 20, Obligations of distributors (pages 202-205)
    • Article 21, Cases in which obligations of manufacturers apply to importers and distributors (page 205)
    • Article 22, Other cases in which obligations of manufacturers apply (page 206)
    • Article 23, Identification of economic operators (page 207)
  • Chapter II – Obligations of open-source software stewards
    • Article 24, Obligations of open-source software stewards (pages 208-209)
    • Article 25, Security attestation of free and open-source software (page 210)
    • Article 26, Guidance (pages 211-212)
  • Chapter III — Conformity of the product with digital elements
    • Article 28, EU declaration of conformity (pages 218-219)
    • Article 29, General principles of the CE marking (page 219)
    • Article 30, Rules and conditions for affixing the CE marking (pages 220-222)
  • Chapter V — Market Surveillance and Enforcement
    • Article 58, Formal non-compliance (pages 276)
• In CRA Annex I
  • Essential Cybersecurity Requirements (pages 297-302)
    • Part I — Cybersecurity requirements relating to the properties of products with digital elements (pages 297-300)
    • Part II — Vulnerability handling requirements (pages 300-302)
• In CRA Annex II
  • Information and Instructions to the User (pages 303-305)
• In CRA, Annex VII, Dated 2024-03-12
  • Requirements to Technical Documentation content (pages 314-316)
• Legislative Train Schedule

EU and EEA – PLD

(EU) Product Liability Directive (PLD)

• Legislative Train Schedule

EU and EEA – DORA

(EU) Digital Operational Resilience Act: Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (DORA, 2022-12-14)

• Legislative Train Schedule

Other articles and guides

• (Checkmarx) Preparing for Europe’s Most Extensive Cybersecurity Directive, NIS2 – What AppSec teams need to know
• (CPAN) It takes a community to raise a CPAN module – describing the different personas or roles involved in the life-cycle of a CPAN distribution.

License and use of this document

• Version: 0.5.0
• License: CC-BY-SA-4.0
• Copyright: © Salve J. Nilsen sjn@cpan.org, Some rights reserved.

You may use, modify and share this file under the terms of the CC-BY-SA-4.0 license.

Acknowledgements

People have been involved in the development of this document

• Salve J. Nilsen (main author)