Resources
Useful references and resources for open source security and supply chain protection
Here are valuable references and resources for understanding and implementing open source security and supply chain protection.
Security Frameworks & Standards
SLSA
Supply-chain Levels for Software Artifacts - A security framework for software supply chain integrity
OpenSSF Scorecard
Automated security health metrics for open source projects
NIST SSDF
Secure Software Development Framework for comprehensive software security
CIS Controls
Cybersecurity controls including software asset management
Vulnerability Databases
OSV Database
Distributed vulnerability database for open source software
National Vulnerability Database
US government repository of standards-based vulnerability management data
GitHub Advisory Database
Security advisories from GitHub and the open source community
Snyk Vulnerability DB
Commercial vulnerability database with detailed remediation guidance
Security Tools & Scanners
OSV-Scanner
Google’s vulnerability scanner for dependencies and container images
Trivy
Comprehensive security scanner for containers, IaC, and dependencies
Dependabot
GitHub’s automated dependency update and security alert service
Snyk
Commercial security platform for finding and fixing vulnerabilities
Package Registries & Metadata
deps.dev
Google’s open source insights and dependency information service
Libraries.io
Comprehensive package manager and dependency tracking platform
NPM Security
Security features and audit capabilities in the npm ecosystem
PyPI Security
Security features and best practices for Python Package Index
SBOM Tools & Standards
CycloneDX
Lightweight software bill of materials standard and tooling
SPDX
Software Package Data Exchange standard for software supply chain data
NTIA SBOM
US government guidance on software bill of materials
CISA SBOM
Cybersecurity and Infrastructure Security Agency SBOM resources
Policy & Compliance
Executive Order 14028
US Executive Order on Improving the Nation’s Cybersecurity
Open Policy Agent
Policy engine for cloud native environments and infrastructure
NIST Cybersecurity Framework
Framework for improving critical infrastructure cybersecurity
ISO 27001
International standard for information security management
Research & Intelligence
Sonatype State of Software Supply Chain
Annual report on software supply chain security trends
CNCF Security TAG
Cloud Native Computing Foundation security technical advisory group
OpenSSF Research
Open Source Security Foundation research initiatives
IEEE Software Supply Chain
Academic research on software engineering and security
Learning Resources
Books and Publications
Supply Chain Security
Supply Chain Security
- “Supply Chain Security” by Cassie Kozyrkov - Comprehensive guide to supply chain risk
- “Secure by Design” by Dan Bergh Johnsson - Building security into software architecture
- “Building Secure and Reliable Systems” by Google SRE - Google’s approach to system security
DevSecOps
DevSecOps
- “DevSecOps Handbook” by Gene Kim - Integrating security into DevOps practices
- “Agile Application Security” by Laura Bell - Security in agile development environments
- “Infrastructure as Code Security” by Adin Ermie - Securing cloud infrastructure automation
Open Source Security
Open Source Security
- NIST Guidelines for secure software development
- OpenSSF Best Practices for open source project security
- Linux Foundation Reports on open source security trends
Training and Certification
Professional Certifications
Professional Certifications
- CISSP - Information security management
- CSSLP - Secure software lifecycle professional
- DevSecOps Engineer - Various providers offer DevSecOps certifications
Online Courses
Online Courses
- SANS DevSecOps training courses
- Coursera Security specializations
- edX Cybersecurity programs
Hands-on Labs
Hands-on Labs
- Kubernetes Security workshops
- Container Security labs
- Supply Chain Attack simulations
Industry Organizations
OpenSSF
Open Source Security Foundation - Cross-industry collaboration on security
CNCF
Cloud Native Computing Foundation - Container and cloud security
Linux Foundation
Research on free and open source software usage and security
OWASP
Open Web Application Security Project - Web application security
Conferences and Events
Major Security Conferences
- RSA Conference - Premier cybersecurity event
- Black Hat / DEF CON - Security research and hacking conference
- BSides - Community-driven security conferences worldwide
- OWASP Global AppSec - Application security conference
Supply Chain Specific Events
- Supply Chain Security Summit - Focused on software supply chain
- KubeCon + CloudNativeCon - Cloud native and container security
- Open Source Summit - Linux Foundation’s flagship open source event
- DevSecOps Days - Local DevSecOps community events
Tools Integration
CI/CD Platforms
GitHub Actions
GitHub Actions
- Security scanning actions marketplace
- SARIF report integration
- Dependency review workflows
GitLab CI/CD
GitLab CI/CD
- Security scanning templates
- Dependency scanning integration
- Container registry security
Jenkins
Jenkins
- Security plugins ecosystem
- Pipeline security integration
- Artifact scanning automation
Container Security
Image Scanning
Image Scanning
- Docker Hub security scanning
- Amazon ECR image scanning
- Google Container Analysis
Runtime Security
Runtime Security
- Falco runtime security monitoring
- Twistlock/Prisma Cloud container protection
- Aqua Security container platform
Community Resources
SafeDep Community
Join our Discord community for vet and SafeDep discussions
Security Twitter
Follow security researchers and practitioners
Reddit r/netsec
Network security community discussions
HackerNews Security
Technology and security news discussions
Regular Publications
Security Newsletters
- tl;dr sec - Weekly security newsletter
- Krebs on Security - Security journalism and investigation
- The Hacker News - Cybersecurity news and insights
- Dark Reading - Enterprise security coverage
Research Publications
- ACM Digital Library - Academic computer science research
- IEEE Xplore - Engineering and technology research
- arXiv Security - Preprint security research papers
- USENIX Security - Systems security research
This curated list represents some of the most valuable resources in the open source security and supply chain protection space. For the latest tools, research, and best practices, consider joining our community where members share updates and discoveries.
Resources are regularly updated as the security landscape evolves. Submit suggestions for additional resources through our GitHub repository or community channels.
Resources
Useful references and resources for open source security and supply chain protection
Here are valuable references and resources for understanding and implementing open source security and supply chain protection.
Security Frameworks & Standards
SLSA
Supply-chain Levels for Software Artifacts - A security framework for software supply chain integrity
OpenSSF Scorecard
Automated security health metrics for open source projects
NIST SSDF
Secure Software Development Framework for comprehensive software security
CIS Controls
Cybersecurity controls including software asset management
Vulnerability Databases
OSV Database
Distributed vulnerability database for open source software
National Vulnerability Database
US government repository of standards-based vulnerability management data
GitHub Advisory Database
Security advisories from GitHub and the open source community
Snyk Vulnerability DB
Commercial vulnerability database with detailed remediation guidance
Security Tools & Scanners
OSV-Scanner
Google’s vulnerability scanner for dependencies and container images
Trivy
Comprehensive security scanner for containers, IaC, and dependencies
Dependabot
GitHub’s automated dependency update and security alert service
Snyk
Commercial security platform for finding and fixing vulnerabilities
Package Registries & Metadata
deps.dev
Google’s open source insights and dependency information service
Libraries.io
Comprehensive package manager and dependency tracking platform
NPM Security
Security features and audit capabilities in the npm ecosystem
PyPI Security
Security features and best practices for Python Package Index
SBOM Tools & Standards
CycloneDX
Lightweight software bill of materials standard and tooling
SPDX
Software Package Data Exchange standard for software supply chain data
NTIA SBOM
US government guidance on software bill of materials
CISA SBOM
Cybersecurity and Infrastructure Security Agency SBOM resources
Policy & Compliance
Executive Order 14028
US Executive Order on Improving the Nation’s Cybersecurity
Open Policy Agent
Policy engine for cloud native environments and infrastructure
NIST Cybersecurity Framework
Framework for improving critical infrastructure cybersecurity
ISO 27001
International standard for information security management
Research & Intelligence
Sonatype State of Software Supply Chain
Annual report on software supply chain security trends
CNCF Security TAG
Cloud Native Computing Foundation security technical advisory group
OpenSSF Research
Open Source Security Foundation research initiatives
IEEE Software Supply Chain
Academic research on software engineering and security
Learning Resources
Books and Publications
Supply Chain Security
Supply Chain Security
- “Supply Chain Security” by Cassie Kozyrkov - Comprehensive guide to supply chain risk
- “Secure by Design” by Dan Bergh Johnsson - Building security into software architecture
- “Building Secure and Reliable Systems” by Google SRE - Google’s approach to system security
DevSecOps
DevSecOps
- “DevSecOps Handbook” by Gene Kim - Integrating security into DevOps practices
- “Agile Application Security” by Laura Bell - Security in agile development environments
- “Infrastructure as Code Security” by Adin Ermie - Securing cloud infrastructure automation
Open Source Security
Open Source Security
- NIST Guidelines for secure software development
- OpenSSF Best Practices for open source project security
- Linux Foundation Reports on open source security trends
Training and Certification
Professional Certifications
Professional Certifications
- CISSP - Information security management
- CSSLP - Secure software lifecycle professional
- DevSecOps Engineer - Various providers offer DevSecOps certifications
Online Courses
Online Courses
- SANS DevSecOps training courses
- Coursera Security specializations
- edX Cybersecurity programs
Hands-on Labs
Hands-on Labs
- Kubernetes Security workshops
- Container Security labs
- Supply Chain Attack simulations
Industry Organizations
OpenSSF
Open Source Security Foundation - Cross-industry collaboration on security
CNCF
Cloud Native Computing Foundation - Container and cloud security
Linux Foundation
Research on free and open source software usage and security
OWASP
Open Web Application Security Project - Web application security
Conferences and Events
Major Security Conferences
- RSA Conference - Premier cybersecurity event
- Black Hat / DEF CON - Security research and hacking conference
- BSides - Community-driven security conferences worldwide
- OWASP Global AppSec - Application security conference
Supply Chain Specific Events
- Supply Chain Security Summit - Focused on software supply chain
- KubeCon + CloudNativeCon - Cloud native and container security
- Open Source Summit - Linux Foundation’s flagship open source event
- DevSecOps Days - Local DevSecOps community events
Tools Integration
CI/CD Platforms
GitHub Actions
GitHub Actions
- Security scanning actions marketplace
- SARIF report integration
- Dependency review workflows
GitLab CI/CD
GitLab CI/CD
- Security scanning templates
- Dependency scanning integration
- Container registry security
Jenkins
Jenkins
- Security plugins ecosystem
- Pipeline security integration
- Artifact scanning automation
Container Security
Image Scanning
Image Scanning
- Docker Hub security scanning
- Amazon ECR image scanning
- Google Container Analysis
Runtime Security
Runtime Security
- Falco runtime security monitoring
- Twistlock/Prisma Cloud container protection
- Aqua Security container platform
Community Resources
SafeDep Community
Join our Discord community for vet and SafeDep discussions
Security Twitter
Follow security researchers and practitioners
Reddit r/netsec
Network security community discussions
HackerNews Security
Technology and security news discussions
Regular Publications
Security Newsletters
- tl;dr sec - Weekly security newsletter
- Krebs on Security - Security journalism and investigation
- The Hacker News - Cybersecurity news and insights
- Dark Reading - Enterprise security coverage
Research Publications
- ACM Digital Library - Academic computer science research
- IEEE Xplore - Engineering and technology research
- arXiv Security - Preprint security research papers
- USENIX Security - Systems security research
This curated list represents some of the most valuable resources in the open source security and supply chain protection space. For the latest tools, research, and best practices, consider joining our community where members share updates and discoveries.
Resources are regularly updated as the security landscape evolves. Submit suggestions for additional resources through our GitHub repository or community channels.