OWASP Software Component Verification Standard

The Software Component Verification Standard (SCVS) is a community-driven effort to establish a framework for identifying activities, controls, and best practices, which can help in identifying and reducing risk in a software supply chain.

Managing risk in the software supply chain is important to reduce the surface area of systems vulnerable to exploits, and to measure technical debt as a barrier to remediation.

Raising the bar for supply chain assurance requires the active participation of risk managers, mission owners, and business units like legal and procurement, which have not traditionally been involved with technical implementation.

Determination of risk acceptance criteria is not a problem that can be solved by enterprise tooling: it is up to risk managers and business decision makers to evaluate the advantages and trade-offs of security measures based on system exposure, regulatory requirements, and constrained financial and human resources. Mandates that are internally unachievable, or that bring development or procurement to a standstill, constitute their own security and institutional risks.

SCVS is designed to be implemented incrementally, and to allow organizations to phase in controls at different levels over time.

SCVS has the following goals:

  • Develop a common taxonomy of activities, controls, and best-practices that can reduce risk in a software supply chain
  • Devise a path to baseline and mature software supply chain vigilance

Availability

The SCVS project has released version 1.0.0.RC.1 as a public preview. This release is the result of continuous collaboration among a team of volunteers and subject matter experts.

SCVS is available (in English) as PDF, Word (docx), JSON, or XML. It can also be read online via GitBook.

Translations

The project maintainers are actively looking for volunteers to translate SCVS into a number of languages. Please reach out on the projects Slack channel or on GitHub if interested.


News

  • 2020/4/16 - Initial preview release v1.0.0-RC.1
  • 2019/8/28 - Project Launched

Acknowledgements

The Software Component Verification Standard is built upon the shoulders of those involved. If credit is missing from the list, please contact [email protected] or log a ticket at GitHub to be recognized.

Authors

  • Steve Springett
  • JC Herz
  • Mark Symons

Contributors

  • Dave Russo
  • Garret Fick
  • John Scott
  • Pruthvi Nallapareddy
  • Bryan Garcia