diff --git a/README.md b/README.md index 7314df9..69a69ab 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # KESE - KISA Enhanced Security Evaluation Kit -주요정보통신기반시설(CII) 취약점 분석평가, AI 보안 평가, 로봇 보안 점검, 우주 보안 점검, 시큐어코딩 가이드, 제로트러스트 보안 평가를 위한 Claude Code 스킬 플러그인입니다. +주요정보통신기반시설(CII) 취약점 분석평가, AI 보안 평가, 로봇 보안 점검, 우주 보안 점검, 시큐어코딩 가이드, 제로트러스트 보안 평가, SW 공급망 보안(SBOM)을 위한 Claude Code 스킬 플러그인입니다. 🌐 [한국어](#빠른-시작) | [English](#english) | [Français](docs/README.fr.md) | [日本語](docs/README.ja.md) | [中文](docs/README.zh.md) | [Русский](docs/README.ru.md) | [Español](docs/README.es.md) | [Deutsch](docs/README.de.md) | [Português](docs/README.pt.md) | [Italiano](docs/README.it.md) | [العربية](docs/README.ar.md) | [हिन्दी](docs/README.hi.md) | [Türkçe](docs/README.tr.md) | [Tiếng Việt](docs/README.vi.md) | [ภาษาไทย](docs/README.th.md) | [Bahasa Indonesia](docs/README.id.md) | [Polski](docs/README.pl.md) | [Nederlands](docs/README.nl.md) | [Svenska](docs/README.sv.md) | [Українська](docs/README.uk.md) @@ -73,16 +73,16 @@ Claude Code 프롬프트에 슬래시 명령어를 입력합니다: ## 개요 -KESE(KISA Enhanced Security Evaluation Kit)는 KISA(한국인터넷진흥원) 가이드라인에 기반한 보안 취약점 분석평가 기능을 제공하는 Claude Code 플러그인입니다. 주요정보통신기반시설(CII) 취약점 분석평가, AI 보안 평가, 로봇 보안 점검, 우주 보안 점검, 제로트러스트 보안 평가를 지원합니다. +KESE(KISA Enhanced Security Evaluation Kit)는 KISA(한국인터넷진흥원) 가이드라인에 기반한 보안 취약점 분석평가 기능을 제공하는 Claude Code 플러그인입니다. 주요정보통신기반시설(CII) 취약점 분석평가, AI 보안 평가, 로봇 보안 점검, 우주 보안 점검, 제로트러스트 보안 평가, SW 공급망 보안(SBOM)을 지원합니다. ### 기능 | 스킬 | 설명 | |------|------| -| `/kesekit-start-ko` | 전체 보안 취약점 분석평가 실행 (CII 560+ / AI 보안 / 로봇 보안 / 우주 보안 / 시큐어코딩 / 제로트러스트) | -| `/kesekit-check-ko` | 배포 전 보안 컴플라이언스 체크리스트 (CII / AI / 로봇 / 우주 / 시큐어코딩 / 제로트러스트) | -| `/kesekit-fix-ko` | 하드닝 스크립트 및 보안 수정 자동 생성 (CII / AI / 로봇 / 우주 / 시큐어코딩 / 제로트러스트) | -| `/kesekit-guide-ko` | AI 도구용 시큐어코딩 프롬프트 생성 (CII / AI / 로봇 / 우주 / JS·Python·범용 / 제로트러스트) | +| `/kesekit-start-ko` | 전체 보안 취약점 분석평가 실행 (CII 560+ / AI 보안 / 로봇 보안 / 우주 보안 / 시큐어코딩 / 제로트러스트 / SW 공급망) | +| `/kesekit-check-ko` | 배포 전 보안 컴플라이언스 체크리스트 (CII / AI / 로봇 / 우주 / 시큐어코딩 / 제로트러스트 / SW 공급망) | +| `/kesekit-fix-ko` | 하드닝 스크립트 및 보안 수정 자동 생성 (CII / AI / 로봇 / 우주 / 시큐어코딩 / 제로트러스트 / SW 공급망) | +| `/kesekit-guide-ko` | AI 도구용 시큐어코딩 프롬프트 생성 (CII / AI / 로봇 / 우주 / JS·Python·범용 / 제로트러스트 / SW 공급망) | ### 지원 가이드라인 @@ -192,6 +192,22 @@ KESE(KISA Enhanced Security Evaluation Kit)는 KISA(한국인터넷진흥원) 대상: 제로트러스트 도입 기업, OT/ICS 환경, 클라우드 전환 조직, 보안 성숙도 평가 담당자 +#### 7. SW 공급망 보안 — 29항목 + +| 단계 | 코드 | 항목 수 | 참조 표준 | +|------|------|:------:|----------| +| 설계 단계 | SC-01~05 | 5 | NIST SP 800-161r1 | +| 개발 단계 | SC-06~16 | 11 | NIST SP 800-218 (SSDF) | +| 공급(유통) 단계 | SC-17~19 | 3 | NTIA SBOM | +| 도입 및 운영 단계 | SC-20~26 | 7 | NIS-SBOM | +| 유지보수 단계 | SC-27~29 | 3 | NIS-SBOM | + +**SBOM 표준**: SPDX (ISO/IEC 5962), CycloneDX (OWASP), NIS-SBOM (20개 항목) +**지원 도구**: Syft, Grype, CycloneDX CLI, npm audit, pip-audit, govulncheck +**규제 동향**: 미국 EO 14028 (SBOM 제출 의무화), EU CRA (2026 하반기 시행), NIS-SBOM (공공기관) + +대상: SW 개발기업, 공공조달 납품사, 정부과제 개발자, 바이브코딩 개발자 + ### 원본 문서 본 플러그인은 다음 공식 보안 가이드라인을 기반으로 재구성되었습니다: @@ -212,6 +228,8 @@ KESE(KISA Enhanced Security Evaluation Kit)는 KISA(한국인터넷진흥원) | 12 | **제로트러스트 가이드라인 2.0** | 한국제로트러스트포럼 / KISA | 2024 | 245 | [PDF](문서/제로트러스트_가이드라인_2.0.pdf) / [MD](문서/제로트러스트_가이드라인_2.0.md) | | 13 | **제로트러스트 성숙도 모델 해설서** | 한국제로트러스트포럼 / KISA | 2024 | 182 | [PDF](문서/제로트러스트_성숙도_모델_해설서.pdf) / [MD](문서/제로트러스트_성숙도_모델_해설서.md) | | 14 | **OT 환경의 제로트러스트 적용 안내서** | 과기정통부 / KISA | 2025 | 67 | [PDF](문서/OT_환경의_제로트러스트_적용_안내서.pdf) / [MD](문서/OT_환경의_제로트러스트_적용_안내서.md) | +| 15 | **SW 공급망 보안 가이드라인 (요약본)** | 국정원 / 과기정통부 / KISA | 2024 | 22 | [PDF](문서/240513-(요약본)_SW_공급망_보안_가이드라인.pdf) | +| 16 | **SW 공급망 보안 가이드라인 (전체본)** | 국정원 / 과기정통부 / KISA | 2024 | 100 | [PDF](문서/240525-(전체본)_SW_공급망_보안_가이드라인_최종%20수정본.pdf) | ### v2.x에서 마이그레이션 @@ -330,16 +348,16 @@ Korean versions are also available: ### Overview -KESE (KISA Enhanced Security Evaluation Kit) is a Claude Code plugin that provides comprehensive vulnerability assessment capabilities based on KISA (Korea Internet & Security Agency) guidelines. Supports Critical Information Infrastructure (CII), AI Security, Robot Security, Space Security, Secure Coding, and Zero Trust assessments. +KESE (KISA Enhanced Security Evaluation Kit) is a Claude Code plugin that provides comprehensive vulnerability assessment capabilities based on KISA (Korea Internet & Security Agency) guidelines. Supports Critical Information Infrastructure (CII), AI Security, Robot Security, Space Security, Secure Coding, Zero Trust, and SW Supply Chain Security (SBOM) assessments. ### Features | Skill | Description | |-------|-------------| -| `/kesekit-start` | Run full security vulnerability assessment (CII 560+ / AI Security / Robot Security / Space Security) | -| `/kesekit-check` | Pre-deployment security compliance checklist (CII / AI / Robot / Space) | -| `/kesekit-fix` | Auto-generate hardening scripts and security fixes (CII / AI / Robot / Space) | -| `/kesekit-guide` | Generate secure coding prompts for AI, robot, and space-aware secure development | +| `/kesekit-start` | Run full security vulnerability assessment (CII 560+ / AI / Robot / Space / Secure Coding / Zero Trust / Supply Chain) | +| `/kesekit-check` | Pre-deployment security compliance checklist (CII / AI / Robot / Space / Secure Coding / Zero Trust / Supply Chain) | +| `/kesekit-fix` | Auto-generate hardening scripts and security fixes (CII / AI / Robot / Space / Secure Coding / Zero Trust / Supply Chain) | +| `/kesekit-guide` | Generate secure coding prompts for AI, robot, space, zero trust, and supply chain security | ### Source Documents @@ -353,6 +371,8 @@ KESE (KISA Enhanced Security Evaluation Kit) is a Claude Code plugin that provid | 6 | **Space Security Model Part1** | MSIT / KISA | 2024 | 134 | | 7 | **Space Security Model Part2** (GSaaS/Supply Chain) | MSIT / KISA | 2025 | 223 | | 8 | **Space Security Explanation Guide** | MSIT / KISA | 2025 | 218 | +| 9 | **SW Supply Chain Security Guideline (Summary)** | NIS / MSIT / KISA | 2024 | 22 | +| 10 | **SW Supply Chain Security Guideline (Full)** | NIS / MSIT / KISA | 2024 | 100 | --- @@ -391,6 +411,19 @@ KESE-KIT/ ## 변경 이력 +### v3.3.0 (2026-04-08) + +**새 가이드라인 추가: SW 공급망 보안 (SBOM)** +- 출처: SW 공급망 보안 가이드라인 요약본 22p + 전체본 100p (국정원·과기정통부·KISA, 2024.05) +- 5개 단계(설계/개발/공급/운영/유지보수), 29개 자가점검 항목 (SC-01~SC-29) +- SBOM 표준: SPDX, CycloneDX, NIS-SBOM (20개 기본항목) +- SBOM 생성 스크립트 (Syft, CycloneDX CLI, npm/pip/maven/go) +- 보안취약점 스캔 스크립트 (Grype, npm audit, pip-audit, govulncheck) +- CI/CD 파이프라인 통합 가이드 (GitHub Actions, GitLab CI) +- 규제 동향: 미국 EO 14028, EU CRA (2026 하반기), NIS-SBOM +- 8개 스킬(EN/KO)에 `references/supply-chain/` + `templates/supply-chain/` + `scripts/supply-chain/` 배치 +- authorkit: PDF juice → analyze → draft 통합본 작성 완료 + ### v3.2.0 (2026-04-02) **새 가이드라인 추가: 시큐어코딩 가이드** diff --git a/authorkit/cleanup_images.py b/authorkit/cleanup_images.py new file mode 100644 index 0000000..1a4e8c9 --- /dev/null +++ b/authorkit/cleanup_images.py @@ -0,0 +1,147 @@ +#!/usr/bin/env python +# -*- coding: utf-8 -*- +"""Clean up extracted PDF images: remove duplicates, decorative backgrounds, tiny fragments.""" + +import os +import hashlib +import re +import sys + +def md5(filepath): + with open(filepath, 'rb') as f: + return hashlib.md5(f.read()).hexdigest() + +def cleanup_images(ref_dir): + images_dir = os.path.join(ref_dir, "images") + full_md_path = os.path.join(ref_dir, "full.md") + + if not os.path.exists(images_dir): + print(f"No images dir: {images_dir}") + return + + # 1. Scan all images + all_images = sorted([f for f in os.listdir(images_dir) if f.endswith('.png')]) + print(f"Total images before cleanup: {len(all_images)}") + + hash_map = {} # hash -> first file + to_delete = set() + reasons = {} + + for img in all_images: + img_path = os.path.join(images_dir, img) + size = os.path.getsize(img_path) + h = md5(img_path) + + # Rule 1: 0 byte files + if size == 0: + to_delete.add(img) + reasons[img] = "0 bytes" + continue + + # Rule 2: Under 5KB - too small to be meaningful (icons, dots, fragments) + if size < 5120: + to_delete.add(img) + reasons[img] = f"too small ({size} bytes)" + continue + + # Rule 3: Duplicates - keep first, delete rest + if h in hash_map: + to_delete.add(img) + reasons[img] = f"duplicate of {hash_map[h]}" + continue + + hash_map[h] = img + + # Rule 4: Identify decorative backgrounds (appear 5+ times = page decoration) + hash_counts = {} + for img in all_images: + if img in to_delete: + continue + img_path = os.path.join(images_dir, img) + h = md5(img_path) + hash_counts[h] = hash_counts.get(h, 0) + 1 + + # Any remaining hash that appeared many times in the original set is decorative + # Count from ALL images (before dedup) to catch patterns + all_hashes = {} + for img in all_images: + img_path = os.path.join(images_dir, img) + if os.path.getsize(img_path) > 0: + h = md5(img_path) + if h not in all_hashes: + all_hashes[h] = [] + all_hashes[h].append(img) + + decorative_hashes = set() + for h, files in all_hashes.items(): + if len(files) >= 5: # appears 5+ times = page decoration pattern + decorative_hashes.add(h) + for f in files: + if f not in to_delete: + to_delete.add(f) + reasons[f] = f"decorative background (appeared {len(files)}x)" + + # Summary + print(f"\nImages to delete: {len(to_delete)}") + reason_counts = {} + for r in reasons.values(): + key = r.split('(')[0].strip() if '(' in r else r.split(' of ')[0].strip() if ' of ' in r else r + reason_counts[key] = reason_counts.get(key, 0) + 1 + for reason, count in sorted(reason_counts.items(), key=lambda x: -x[1]): + print(f" - {reason}: {count}") + + # Delete files + for img in to_delete: + img_path = os.path.join(images_dir, img) + if os.path.exists(img_path): + os.remove(img_path) + + remaining = [f for f in os.listdir(images_dir) if f.endswith('.png')] + print(f"\nImages remaining: {len(remaining)}") + + # Update full.md - remove references to deleted images + if os.path.exists(full_md_path): + with open(full_md_path, 'r', encoding='utf-8') as f: + content = f.read() + + original_len = len(content) + lines = content.split('\n') + cleaned_lines = [] + removed_refs = 0 + + for line in lines: + # Check if line references a deleted image + match = re.search(r'!\[.*?\]\(images/(.+?)\)', line) + if match and match.group(1) in to_delete: + removed_refs += 1 + continue # skip this line + cleaned_lines.append(line) + + # Remove excessive blank lines (3+ consecutive -> 2) + content = '\n'.join(cleaned_lines) + content = re.sub(r'\n{4,}', '\n\n\n', content) + + with open(full_md_path, 'w', encoding='utf-8') as f: + f.write(content) + + print(f"Removed {removed_refs} image references from full.md") + print(f"Markdown size: {original_len:,} -> {len(content):,} chars") + + # Update conversion log + log_path = os.path.join(ref_dir, "conversion-log.md") + if os.path.exists(log_path): + with open(log_path, 'r', encoding='utf-8') as f: + log = f.read() + log += f"\n## Cleanup ({__import__('datetime').datetime.now().strftime('%Y-%m-%d %H:%M')})\n\n" + log += f"- Deleted: {len(to_delete)} images\n" + log += f"- Remaining: {len(remaining)} images\n" + for reason, count in sorted(reason_counts.items(), key=lambda x: -x[1]): + log += f" - {reason}: {count}\n" + with open(log_path, 'w', encoding='utf-8') as f: + f.write(log) + +if __name__ == "__main__": + if len(sys.argv) < 2: + print("Usage: python cleanup_images.py ") + sys.exit(1) + cleanup_images(sys.argv[1]) diff --git a/authorkit/convert_pdf.py b/authorkit/convert_pdf.py index 45e6e87..e71959f 100644 --- a/authorkit/convert_pdf.py +++ b/authorkit/convert_pdf.py @@ -37,9 +37,15 @@ def extract_pdf_to_markdown(pdf_path, output_dir, ref_id): xref = img[0] pix = fitz.Pixmap(doc, xref) - # Convert CMYK to RGB if needed - if pix.n >= 5: + # Convert non-RGB colorspaces to RGB + if pix.colorspace and pix.colorspace.n >= 4: pix = fitz.Pixmap(fitz.csRGB, pix) + elif pix.n - pix.alpha > 3: + pix = fitz.Pixmap(fitz.csRGB, pix) + + # Remove alpha channel if present + if pix.alpha: + pix = fitz.Pixmap(pix, 0) img_filename = f"p{page_num+1:04d}_img{img_idx}.png" img_path = os.path.join(images_dir, img_filename) @@ -50,7 +56,17 @@ def extract_pdf_to_markdown(pdf_path, output_dir, ref_id): text += f"\n\n![이미지 {page_num+1}-{img_idx}](images/{img_filename})\n" except Exception as e: - print(f" Warning: Could not extract image on page {page_num+1}: {e}") + # Fallback: render the page as image + try: + page_pix = page.get_pixmap(dpi=150) + img_filename = f"p{page_num+1:04d}_full.png" + img_path = os.path.join(images_dir, img_filename) + if not os.path.exists(img_path): + page_pix.save(img_path) + image_count += 1 + text += f"\n\n![페이지 {page_num+1} 렌더링](images/{img_filename})\n" + except Exception as e2: + print(f" Warning: Could not extract image on page {page_num+1}: {e} / fallback: {e2}") # Detect headings (lines that are likely headers) lines = text.split('\n') diff --git a/authorkit/converted/ref-016/conversion-log.md b/authorkit/converted/ref-016/conversion-log.md new file mode 100644 index 0000000..d6406cc --- /dev/null +++ b/authorkit/converted/ref-016/conversion-log.md @@ -0,0 +1,20 @@ +# Conversion Log + +- **Source**: 240513-(요약본)_SW_공급망_보안_가이드라인.pdf +- **Pages**: 22 +- **Converted**: 2026-04-08 16:31 +- **Text characters**: 20,056 +- **Images extracted**: 67 +- **Headings detected**: 13 + +## Output Files + +- `full.md` - Complete converted content +- `images/` - Extracted images (67 files) + +## Cleanup (2026-04-08 17:08) + +- Deleted: 53 images +- Remaining: 21 images + - too small: 46 + - 0 bytes: 7 diff --git a/authorkit/converted/ref-017/conversion-log.md b/authorkit/converted/ref-017/conversion-log.md new file mode 100644 index 0000000..fda6c5c --- /dev/null +++ b/authorkit/converted/ref-017/conversion-log.md @@ -0,0 +1,21 @@ +# Conversion Log + +- **Source**: 240525-(전체본)_SW_공급망_보안_가이드라인_최종 수정본.pdf +- **Pages**: 100 +- **Converted**: 2026-04-08 16:34 +- **Text characters**: 91,393 +- **Images extracted**: 216 +- **Headings detected**: 92 + +## Output Files + +- `full.md` - Complete converted content +- `images/` - Extracted images (216 files) + +## Cleanup (2026-04-08 17:08) + +- Deleted: 128 images +- Remaining: 88 images + - too small: 83 + - duplicate: 41 + - decorative background: 4 diff --git a/authorkit/drafts/sw-supply-chain/draft-new.md b/authorkit/drafts/sw-supply-chain/draft-new.md new file mode 100644 index 0000000..e8df70f --- /dev/null +++ b/authorkit/drafts/sw-supply-chain/draft-new.md @@ -0,0 +1,565 @@ +# SW 공급망 보안 가이드 + +> **출처**: SW 공급망 보안 가이드라인 요약본(ref-016) + 전체본(ref-017) 통합 +> **발행 원본**: 국가정보원, 과학기술정보통신부, 디지털플랫폼정부위원회, 한국인터넷진흥원 (2024.05) +> **KESE KIT 대상 독자**: 바이브코딩을 하는 개발자, 정부과제·공공조달 개발자, 서버 운영자 + +--- + +## 1절. SW 공급망 보안이 중요한 이유 + +### 1-1. 초연결 시대, SW 공급망이란? + +SW 공급망(Software Supply Chain)은 최종 SW 제품을 만드는 데 관여하는 사람, 장치, 시스템의 집합입니다. 개발자가 코드를 작성할 때부터 사용자 시스템에서 실행되기까지의 모든 과정을 포함합니다. + +전통적 제조업의 공급망과 비교하면 이해가 쉽습니다. + +| 구분 | 제조업 공급망 | SW 공급망 | +|------|-------------|----------| +| 부품 | 물리적 부품 | 코드, 라이브러리, 프레임워크 | +| 명세서 | 자재명세서(BOM) | **SBOM** | +| 위험 | 불량 부품 | 보안취약점, 악성코드 | +| 추적 | 제조 이력 | 종속성(Dependency) 트리 | + +디지털 제품과 서비스의 개발 과정에서 외부 SW 사용이 급증하고 있습니다. Synopsys의 OSSRA 2023 보고서에 따르면, 상용 코드베이스의 96%가 공개 SW를 포함하고 있으며, 코드베이스의 80% 이상이 하나 이상의 보안취약점을 포함합니다. + +> **WARNING** +> 바이브코딩 환경에서 AI가 생성하는 코드도 공개 SW 라이브러리를 자동으로 `import`합니다. 개발자가 직접 선택하지 않은 의존성도 공급망의 일부가 됩니다. `npm install`, `pip install`로 추가되는 모든 패키지가 공급망 관리 대상입니다. + +### 1-2. SW 공급망 공격, 왜 위험한가? + +SW 공급망 공격은 대상 범위가 넓고, 연쇄적 사고로 이어지며, 수년간 피해가 지속됩니다. + +| 사례 | 시기 | 사고 내용 | 피해 규모 | +|------|------|----------|----------| +| SolarWinds | 2020 | SW 개발 환경·배포 시스템 해킹 | 18,000개 이상 기관 | +| Log4Shell | 2021 | Log4j 제로데이 취약점 악용 | 전 세계 서버 대상 대량 공격 | +| Kaseya | 2022 | IT 원격관리 솔루션 해킹, 업데이트 위장 랜섬웨어 | 17개국 1,500여 조직 | +| Codecov | 2021 | 리포지토리 인증정보 유출 | 2차 공격 범위 측정 불가 | + +> **TIP** +> 정부과제나 공공조달에서 SW를 납품하는 경우, 공급망 보안 사고가 발생하면 납품사에게 책임이 돌아갑니다. SBOM 기반 관리 체계를 갖추는 것이 리스크 관리의 핵심입니다. + +### 1-3. SW 공급망 공격의 7가지 유형 + +| # | 유형 | 설명 | 대표 사례 | +|---|------|------|----------| +| 1 | **공개 SW 보안취약점** | 널리 사용되는 공개 SW의 알려진 취약점 악용 | Log4Shell | +| 2 | **타사 의존성** | 제3자 라이브러리·모듈의 취약점 | event-stream 악성코드 삽입 | +| 3 | **공용 리포지토리** | npm, PyPI 등을 통한 악성 패키지 배포 | 타이포스쿼팅 공격 | +| 4 | **빌드 시스템(변환 시스템)** | CI/CD 파이프라인 침해 | SolarWinds | +| 5 | **업데이트 가로채기** | 정상 업데이트 경로 탈취 | Kaseya | +| 6 | **내부 리포지토리** | 기업 내부 코드 저장소 침해 | Codecov | +| 7 | **공급사 및 협력사** | 신뢰된 공급업체를 경유한 침투 | NotPetya | + +> **WARNING** +> 바이브코딩에서 AI가 추천한 패키지를 무심코 설치하면 3번(공용 리포지토리) 유형에 노출됩니다. 패키지 이름이 비슷한 악성 패키지(타이포스쿼팅)를 주의하세요. + +### 1-4. 주요국 정책 동향 + +#### 미국 + +- **행정명령 EO 14028** (2021.5): 연방정부 납품 SW의 SBOM 제출 의무화 +- **OMB 각서 M-22-18** (2022.9): SW 공급사에 NIST SSDF 준수 자체증명서 제출 요구 +- 자체증명 항목: 안전한 개발 환경 구축, 자동화된 소스코드 출처 관리, 지속적 취약성 검사 + +> **TIP** +> 미국 연방정부에 SW를 납품하려면 `softwaresecurity.cisa.gov`에서 자체증명서를 제출해야 합니다. + +#### EU + +- **사이버 복원력 법(Cyber Resilience Act, CRA)** (2022.9 발의 → 2024.3 확정) +- 역내 유통 디지털 기기의 SBOM 제출 의무화 +- **2026년 하반기** 시행 예정 +- 적용 대상: 네트워크 연결 가능한 모든 디지털 제품(HW, SW 등) + +#### 일본 + +- 경제산업성 SBOM 실증 로드맵 (2022.05) +- 산업분야별 단계적 SBOM 도입 추진 + +#### 시사점 + +우리나라도 SBOM 기반 SW 공급망 보안 체계 확산이 필요합니다. 특히 해외 시장 진출 시 미국·EU의 SBOM 제출 요구가 무역장벽으로 작용할 수 있어 선제적 대응이 중요합니다. + +--- + +## 2절. SW 공급망 위험관리 체계 + +### 2-1. C-SCRM: 공급망 사이버보안 위험관리 + +C-SCRM(Cybersecurity Supply Chain Risk Management)은 공급망 전체에서 사이버보안 위험을 관리하는 체계적 프로세스입니다. 미국 NIST SP 800-161r1에서 정의했습니다. + +C-SCRM은 SW 개발 생명주기(SDLC, Software Development Life Cycle) 전체에 걸쳐 통합되어야 합니다. 설계부터 폐기까지, 모든 단계에서 공급망 보안을 고려해야 합니다. + +#### 다단계 전사적 위험관리 + +C-SCRM은 세 가지 레벨로 구분하여 수행합니다. + +``` +┌─────────────────────────────────────────────┐ +│ 레벨-1 (전사) │ +│ • C-SCRM 전략·정책·이행 계획 수립 │ +│ • 거버넌스 구조 및 경계 설정 │ +│ • 경영진(CEO, CIO, CISO 등) 감독 │ +├─────────────────────────────────────────────┤ +│ 레벨-2 (프로세스) │ +│ • 비즈니스 프로세스별 전략 개발 │ +│ • 정책·절차·지침 개발 │ +│ • 프로젝트 관리자·엔지니어 실행 │ +├─────────────────────────────────────────────┤ +│ 레벨-3 (운영) │ +│ • 개별 시스템에 C-SCRM 적용 │ +│ • SDLC에 통합 운영 │ +│ • 아키텍트·개발자·QA 실행 │ +└─────────────────────────────────────────────┘ +``` + +> **TIP** +> 소규모 개발팀이라면 레벨-3(운영)에 집중하세요. SBOM 생성·관리를 CI/CD에 통합하고, 보안취약점을 자동으로 점검하는 것만으로도 기본적인 C-SCRM을 구현할 수 있습니다. + +### 2-2. 공급망 참여자의 역할 + +미국 ESF(Enduring Security Framework)는 SW 공급망 참여자별 보안 활동을 다음과 같이 정의했습니다. + +#### 개발사의 역할 + +| 영역 | 권장 활동 | +|------|----------| +| 보안 요구사항 | 고객과 공급자의 보안 요구사항 확인, 위협 모델링 | +| 안전한 개발 | 코드 표준 준수, 코드 리뷰, 정적·동적 분석 | +| 빌드 환경 | 빌드 시스템 보호, 무결성 검증, SBOM 생성 | +| 취약점 관리 | 취약점 모니터링, 패치 배포, 고객 통보 | + +#### 공급(유통)사의 역할 + +| 영역 | 권장 활동 | +|------|----------| +| 검증 | 보안 요구사항 충족 확인, 타사 SW 검증 | +| 테스트 | 실행 파일 보안 테스트 수행 | +| 통보 | 보안취약점 발견 시 고객사에 알림 | + +#### 운영(고객)사의 역할 + +| 영역 | 권장 활동 | +|------|----------| +| 요구사항 | 보안 요구사항·SCRM 요구사항 정의 | +| 인수 테스트 | SW 도입 전 보안 인수 테스트 수행 | +| 생명주기 관리 | 운영 중 보안취약점 모니터링, 업데이트 관리 | + +### 2-3. SSDF: 안전한 SW 개발 체계 + +SSDF(Secure Software Development Framework, NIST SP 800-218)는 안전한 SW 개발을 위한 4가지 원칙을 제시합니다. + +| 원칙 | 약어 | 내용 | +|------|------|------| +| 조직 준비 | PO | 인력·프로세스·기술이 안전한 SW 개발을 수행할 준비가 되어 있는지 확인 | +| SW 보호 | PS | SW의 모든 구성요소가 변조되거나 비인가 접근이 이루어지지 않도록 보호 | +| 보안성 높은 SW 개발 | PW | 보안취약점을 최소화하여 보안이 갖춰진 SW를 개발 | +| 보안취약점 대응 | RV | 출시 후 남아있는 보안취약점을 파악하고 적절히 대응 | + +SSDF의 특징: +- SDLC 모델과 관계없이 적용 가능합니다 +- 기술, 플랫폼, 프로그래밍 언어에 무관합니다 +- 보안 지식이 없어도 이해할 수 있는 공통 언어를 제공합니다 + +> **TIP** +> 국산 공급망 보안 관리 도구인 **NShiftKey**를 활용하면 SSDF 기반 보안 체크를 자동화할 수 있습니다. GitHub Marketplace에서 무료로 다운로드 가능합니다. +> ```bash +> # NShiftKey GitHub 설치 +> # https://github.com/marketplace/nshiftkey +> ``` + +--- + +## 3절. SBOM의 이해와 활용 + +### 3-1. SBOM이란? + +SBOM(Software Bill of Materials, SW 구성요소 명세서)은 SW를 구성하는 모든 요소를 목록화한 메타데이터입니다. 식품의 원재료 표시, 제조업의 자재명세서(BOM)와 같은 개념을 SW에 적용한 것입니다. + +``` +┌─ 내 프로젝트 v1.0 ─────────────────────┐ +│ │ +│ ├─ express@4.18.2 (MIT) │ +│ │ ├─ body-parser@1.20.1 │ +│ │ ├─ cookie@0.5.0 │ +│ │ └─ qs@6.11.0 │ +│ ├─ jsonwebtoken@9.0.0 (MIT) │ +│ │ └─ jws@3.2.2 │ +│ ├─ mongoose@7.0.3 (MIT) │ +│ │ └─ mongodb@5.1.0 │ +│ └─ log4js@6.9.1 (Apache-2.0) ⚠️ │ +│ └─ flatted@3.2.7 │ +│ │ +└──────────────────────────────────────────┘ + ↑ 이것이 SBOM입니다 +``` + +SBOM은 종속성(Dependency)을 트리 구조로 연결합니다. Log4j처럼 여러 시스템에서 사용하는 구성요소를 빠르게 식별할 수 있습니다. + +### 3-2. SBOM이 필요한 이유 + +역할별 활용 목적이 다릅니다. + +| 역할 | SBOM 활용 | +|------|----------| +| **개발자** | 구성요소 최신 버전 식별, 보안취약점 신속 대응 | +| **구매자** | 투명한 보안취약점·라이선스 분석, 위험 수준 평가 | +| **운영자** | 새 보안취약점 발견 시 영향 범위 빠른 확인 | + +NTIA의 효과성 분석에 따르면, SBOM 없이는 보안취약점 발견부터 조치까지 수개월~수년이 걸립니다. SBOM을 활용하면 공급망 전 단계에서 동시에 취약점을 식별하고 조치할 수 있습니다. + +### 3-3. SBOM 최소 요건 + +미국 NTIA가 제시한 SBOM 최소 요건은 3가지 영역을 포함합니다. + +#### 1) 데이터 필드 (7가지 기본항목) + +| 항목 | 설명 | +|------|------| +| 공급자명(Supplier Name) | 구성요소를 생성·식별한 주체 | +| 타임스탬프(Timestamp) | SBOM 데이터 생성 일시 | +| 저작권자(Author Name) | SBOM 데이터를 생성하는 주체 | +| 구성요소명(Component Name) | SW 단위에 할당된 명칭 | +| 버전(Version String) | 변경 사항을 식별하는 버전 | +| 고유 식별자(Unique Identifier) | 구성요소를 식별하는 키 | +| 종속성 관계(Relationship) | 상위 구성요소와의 포함 관계 | + +#### 2) 자동화 지원 (3가지 표준 형식) + +| 표준 | 개발 기관 | 주요 대상 | 국제 표준 | +|------|----------|----------|----------| +| **SPDX** | 리눅스재단 | 공개 SW 라이선스 관리 | ISO/IEC 5962 | +| **CycloneDX** | OWASP | 공급망 보안 관리 | - | +| **SWID** | 미국 상무부 | 상용 SW 자산 관리 | ISO/IEC 19770-2 | + +> **TIP** +> 실무에서는 **CycloneDX**를 권장합니다. 보안취약점 관리에 특화되어 있고, SBOM 생성 도구 지원이 가장 폭넓습니다. SWID는 보안취약점 관리에는 활용되지 않습니다. + +#### 3) 관행 및 프로세스 + +SBOM을 업데이트하고 제공하는 방법·시기에 관한 6가지 요구사항: +- 빈도(Frequency) +- 깊이(Depth) +- 알려진 미지(Known Unknowns) +- 배포 및 전달(Distribution and Delivery) +- 접근 제어(Access Control) +- 오류 수용(Accommodation of Mistake) + +### 3-4. SBOM을 활용한 보안취약점 관리 + +SBOM 기반 보안취약점 관리는 4단계로 진행합니다. + +``` +┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐ +│ ① SBOM │───▶│ ② CVE │───▶│ ③ 위험도 │───▶│ ④ 조치 │ +│ 생성 │ │ 조회 │ │ 평가 │ │ 계획 │ +└──────────┘ └──────────┘ └──────────┘ └──────────┘ + SCA 도구로 NVD에서 CVSS로 우선순위에 + 구성요소 식별 CVE 확인 점수 평가 따라 조치 +``` + +**① SBOM 생성**: SCA(Software Composition Analysis) 도구로 SBOM을 생성하고 SW 구성요소를 식별합니다. + +**② CVE 조회**: 알려진 보안취약점 정보(CVE, KEV 등)를 NVD(https://nvd.nist.gov)에서 확인합니다. + +```bash +# NVD에서 특정 CVE 조회 +curl "https://nvd.nist.gov/vuln/detail/CVE-2021-44228" +# Log4Shell 취약점 상세 정보 확인 +``` + +**③ 위험도 평가**: CVSS(Common Vulnerabilities Scoring System) 점수로 심각도를 판단합니다. + +| CVSS 점수 | 심각도 | 조치 | +|:---------:|--------|------| +| 9.0~10.0 | 치명적(Critical) | 즉시 조치 | +| 7.0~8.9 | 높음(High) | 긴급 조치 | +| 4.0~6.9 | 중간(Medium) | 계획적 조치 | +| 0.1~3.9 | 낮음(Low) | 모니터링 | + +> **WARNING** +> CVSS 7.0 이상의 보안취약점은 보안 담당자와 즉각적인 완화 조치를 수행하거나, 조치 방안과 시기를 협의해야 합니다. CVSS 외에 CISA의 KEV(Known Exploited Vulnerability) 등 추가 지표도 활용하세요. + +**④ 조치 계획**: 보안취약점에 대한 조치 계획을 수립하고, 관련자에게 정보를 공유합니다. + +### 3-5. SBOM을 활용한 라이선스 관리 + +공개 SW 라이선스는 크게 두 가지로 분류됩니다. + +| 유형 | 특징 | 예시 | +|------|------|------| +| **Copyleft** | 파생 저작물도 동일 라이선스 적용 의무 | GPL, LGPL, AGPL | +| **Permissive** | 자유로운 사용·수정·배포 허용 | MIT, Apache-2.0, BSD | + +> **WARNING** +> GPL 라이선스 공개 SW를 상용 제품에 포함하면 소스코드 공개 의무가 발생할 수 있습니다. SBOM을 통해 사전에 라이선스를 확인하세요. + +--- + +## 4절. SBOM 기반 공급망 보안 체계 구축 + +### 4-1. 공급망 단계별 SBOM 관리 체계 + +SW 공급망은 개발 → 공급(유통) → 운영의 각 단계에서 SBOM을 생성·관리해야 합니다. + +``` +┌─────────────┐ ┌─────────────┐ ┌─────────────┐ +│ 개발사 │ │ 공급(유통)사 │ │ 운영사 │ +├─────────────┤ ├─────────────┤ ├─────────────┤ +│ • SBOM 생성 │───▶│ • SBOM 검증 │───▶│ • SBOM 활용 │ +│ • 취약점 분석│ │ • 무결성 확인│ │ • 취약점 관리│ +│ • 패치 개발 │ │ • 라이선스 │ │ • 업데이트 │ +│ • SCA 도구 │ │ 확인 │ │ 모니터링 │ +└─────────────┘ └─────────────┘ └─────────────┘ +``` + +**개발사 필수 설비:** +- SBOM 도구(공개 SW 및 상용 도구) +- SW 구성요소 저장소 +- SBOM 데이터베이스(DB) +- 자체 보안취약점 DB 및 NVD 연계 + +> **TIP** +> 모든 SW 구성요소에 대한 SBOM 생성이 어려운 경우, **타사 라이브러리 및 공개 SW 구성요소**를 중심으로 출처 정보와 종속성 관계를 관리하는 체계를 우선 구축하세요. + +### 4-2. SBOM 유효성 검증 + +자동화 도구로 SBOM을 생성하면 항목이 누락되거나 중복되는 현상이 발생합니다. 유효성 검증은 필수입니다. + +**검증 요령:** + +**❶ 개발자 확인**: SW 제품 개발 상세 현황과 추출한 SBOM 데이터를 비교하여 오탐·과탐 여부를 검토합니다. + +확인할 제품 정보: +- 기업명, 서비스명, 개발언어 +- 패키지 형태, 개발 프레임워크 +- 공개 SW, 상용 SW 사용 현황 +- 빌드시스템, 형상관리시스템 + +**❷ 완전성 확인**: CycloneDX, SPDX 등 SBOM 표준의 기본항목 누락 여부를 확인합니다. + +**흔한 오류 사례:** + +``` +❌ OPENSSL → OPENSL (컴포넌트명 오기) +❌ 같은 버전 중복 출력 +❌ 공급자명·라이선스명 누락 +``` + +> **WARNING** +> 소스코드와 바이너리로 생성한 SBOM 결과가 다를 수 있습니다. 신뢰성 높은 SBOM 생성을 위해 **2개 이상의 도구를 이용한 교차 검증**을 권장합니다. + +### 4-3. 컴포넌트 관리 요령 + +**❶** SW를 개발·유통하는 과정에서 변경·수정되는 제품의 SBOM을 지속 공유해야 누락 없는 컴포넌트 관리가 가능합니다. + +**❷** 개발자가 인지하지 못한 공개 SW 컴포넌트와 SW 설치 후 생성되는 공개 SW 컴포넌트를 추가하여 관리합니다. + +**❸** 소스코드, 바이너리, 의존성을 종합적으로 분석한 SBOM을 관리해야 신뢰성 높은 보안취약점·라이선스·SW 자산관리가 가능합니다. + +### 4-4. NIS-SBOM: 국가정보원 제안 기본항목 + +국가정보원은 국가·공공기관에 도입되는 SW의 공급망 보안 관리를 위해 NIS-SBOM 기본항목을 개발했습니다. 미국 NTIA의 7개 항목을 확장하여 **20개 기본항목**을 정의합니다. + +| 목표 | 설명 | +|------|------| +| 기본항목 간소화 | 필수 정보에 집중 | +| 보안취약점 정보 연동 | CVE/KEV 데이터 연계 | +| 사이버 위험관리 효율성 향상 | 자동화된 위험 평가 지원 | + +NIS-SBOM 20개 항목: + +``` +SBOM Standard, SBOM Type, CycloneDX No, SPDX Doc. ID, +SBOM ID, Product Name, Product Version, +Component Name, Component Alias, Component Version, +Component Supplier Name, Component Hash, Component Path, +SBOM Author Name, Unique Identifier, +Dependency Relationship, Timestamp, +License Name Version, Vul. DB, Vul. Info +``` + +> **TIP** +> 공공기관에 SW를 납품하는 경우, NIS-SBOM 기본항목에 맞춰 SBOM을 생성하면 향후 제도화 시 대응이 수월합니다. + +--- + +## 5절. 자가 점검 체크리스트 + +SW 공급망 보안 상태를 스스로 점검할 수 있는 체크리스트입니다. NIST SP 800-161, NIST SP 800-218을 참고하여 국내 실정에 맞게 마련되었습니다. + +### 설계 단계 + +| # | 점검 항목 | 세부 설명 | +|---|----------|----------| +| 1 | 안전한 개발 관련 역할 및 책임을 명시하는가? | 사내 공지·발령에 역할·책임 명시 | +| 2 | 개발자 및 관련자에게 보안 교육을 하는가? | 공급망 보안, 시큐어코딩 교육 확인 | +| 3 | 개발단계에서 공급망 보안을 고려하였는가? | 형상관리, SBOM 생성·관리 | +| 4 | 개발환경의 보안 상태를 관리하는가? | OS·백신 업데이트 현황 | +| 5 | 제품의 주요 보안항목을 식별하고 문서로 보관하는가? | 데이터 보호, 암호화, 인증, 접근통제 명세 | + +### 개발 단계 + +| # | 점검 항목 | 세부 설명 | +|---|----------|----------| +| 6 | 시큐어코딩을 준수하는가? | 소스코드 빌드 시 시큐어코딩 확인 | +| 7 | 배포 전 기본 설정을 검토하였는가? | SSL, 접근 권한, 리포지토리 암호화 등 | +| 8 | 외부 라이브러리 도입 시 보안성을 확인하는가? | 유해성·무결성 검사 | +| 9 | 내부 저장소에 인가된 사용자만 접근하는가? | 형상관리 시스템 접근통제 | +| 10 | 공개 SW 및 내부 소스코드 보안취약점을 지속 점검하는가? | 취약점 점검 로그 확인 | +| 11 | 빌드 과정에서 자동화된 보안 테스트를 수행하는가? | CI/CD에 보안 테스트 포함 | +| 12 | 컴파일러·인터프리터 보안 옵션을 사용하는가? | 권한 설정, 암호화 설정 활성화 | +| 13 | 빌드 후 결과물을 보관하는가? | 실행 파일, 로그, SBOM, 테스트 결과 | +| 14 | SBOM 컴포넌트의 보안취약점을 확인하는가? | SBOM 결과에서 취약점 식별 | +| 15 | 심각한 보안취약점에 대한 검증 과정이 있는가? | CVSS 7.0 이상 컴포넌트 유효성 검증 | +| 16 | SBOM 작성 이력을 보관하는가? | SBOM 생성 이력 관리 | + +### 공급(유통) 단계 + +| # | 점검 항목 | 세부 설명 | +|---|----------|----------| +| 17 | SW 무결성 확인 데이터를 전달하는가? | 코드서명, 해시값 | +| 18 | 소스코드·라이브러리·공개 SW 정보를 안전하게 보관하는가? | 안전한 보관 여부 | +| 19 | 고객사에 SBOM·보안취약점·라이선스 정보를 제공하는가? | SBOM 활용 | + +### 도입 및 운영 단계 + +| # | 점검 항목 | 세부 설명 | +|---|----------|----------| +| 20 | 공급망 보안 요구사항 매뉴얼이 있는가? | SBOM 제공, 취약점 제거, 업데이트 요구 | +| 21 | 도입 계약 시 보안 요구사항 이행을 확인하는가? | 보안 요구사항 이행 확인 | +| 22 | SW 무결성을 코드서명·해시값으로 확인하는가? | 코드서명·해시값 검증 | +| 23 | CVE 공개 시 해당 SW가 있는지 모니터링하는가? | 알려진 보안취약점 확인 | +| 24 | 심각한 보안취약점 발견 시 처리 요구를 하는가? | 조치 절차 점검 | +| 25 | 외부 개발 SW의 SBOM을 제공받는가? | SBOM 검토 | +| 26 | 외부 개발 소스코드의 취약점을 점검하는가? | 보안취약점 점검 | + +### 유지보수 단계 + +| # | 점검 항목 | 세부 설명 | +|---|----------|----------| +| 27 | 보안 업데이트를 정기적으로 확인하는가? | 패치 적용 현황 | +| 28 | 보안취약점 조치 이력을 관리하는가? | 조치 이력 문서화 | +| 29 | SBOM을 정기적으로 업데이트하는가? | SW 변경 시 SBOM 갱신 | + +> **TIP** +> 이 체크리스트는 역할에 따라 선택적으로 활용할 수 있습니다. +> - **개발사**: 개발자 공급망 보안 업무 지시, 개발환경 보안 자체 점검 +> - **공급(유통)사**: 개발사 공급망 보안 준비도 점검, 고객사에 공급망 수준 입증 근거 +> - **고객(운영)사**: 도입 전 공급망 보안 확인, SW 도입 후 공급망 관리 + +--- + +## 6절. 지원 인프라 및 발전 방향 + +### 6-1. SW 보안취약점 점검 지원 테스트베드 + +정부는 SW 공급망 보안을 지원하기 위해 3개 시설을 운영하고 있습니다. + +#### 기업지원허브 (판교) + +- **운영**: 2015.10월~ +- **지원 내용**: 사이버보안 위협 시연, 보안취약점 점검 지원 +- SBOM 도구(소스코드, 바이너리) 등으로 디지털 제품·서비스의 보안취약점 점검 지원 +- 가전, 금융, 스마트도시, 교통, 에너지 등 다양한 분야 + +#### 디지털헬스케어 보안 리빙랩 (원주) + +- **운영**: 2020.12월~ +- **지원 내용**: 디지털헬스케어기기 보안 테스트, 의료기기 인허가 지원 +- 2024년 상반기부터 SBOM 생성 도구 도입 +- 식약처 협의를 통해 연 8~9건 인허가 지원 + +#### 국가사이버안보협력센터 기술공유실 (판교) + +- **운영**: 2022.11월~ +- **지원 내용**: SBOM 기반 공급망 보안 테스트베드 +- 국내외 상용 SCA 도구 3종 적용 +- SBOM 생성 자동화 → SBOM 관리 → SW 보안취약점 추적·관리 실증 + +> **TIP** +> 중소기업이라면 **기업지원허브(판교)**에서 무료로 SBOM 생성 및 보안취약점 점검을 받을 수 있습니다. 의료기기 관련 기업은 **원주 리빙랩**을 활용하세요. + +### 6-2. 국내외 SBOM 표준 현황 + +| 구분 | 표준명 | 비고 | +|------|--------|------| +| 민간 | TTAK.KO-11.0309 (2022.12) | SPDX v2.0 참조, 국내 활용 개선 | +| 정부 | NIS-SBOM (20개 기본항목) | 간소화·취약점 연동·위험관리 효율화 | +| 국제 | SPDX (ISO/IEC 5962) | 리눅스재단 주도 | +| 국제 | CycloneDX | OWASP 주도 | + +### 6-3. 발전 방향 + +**가. 개발기업의 SW 투명성 확보 지원** +범정부 차원의 지원센터 운영, SBOM 기반 공급망 보안 관리 체계 도입 지원이 필요합니다. + +**나. SBOM 및 SW 공급망 보안에 대한 적극적 투자** +미국·EU 시장의 무역장벽에 대응하기 위해 SBOM 및 공급망 보안 기술 확보가 필요합니다. + +**다. 공급자-수요자 연계 SBOM 기반 공급망 보안 관리** +기관 내 IT 자산, SW, SW 구성요소를 통합 관리하고 보안취약점을 지속 모니터링하는 체계가 필요합니다. + +**라. 안전한 SW 개발 환경 조성 및 사이버 복원력 강화** +SW 제품·서비스의 생애주기 전반에서 보안관리를 강화하고, 보안적합성·IoT 보안 라벨링 등을 제도화해야 합니다. + +**마. SBOM의 안전한 활용 및 기밀성 보장** +SBOM은 기업이 공개를 꺼리는 정보를 포함할 수 있습니다. SBOM의 기밀성을 보장하면서 안전하게 공유하는 기술 연구가 필요합니다. + +> **WARNING** +> SBOM에는 사용 중인 SW 구성요소와 버전 정보가 포함됩니다. 이 정보가 유출되면 공격자에게 공격 대상을 알려주는 셈이 될 수 있습니다. SBOM의 접근 통제와 기밀성 보장은 필수입니다. + +--- + +## 부록. SBOM 생성 실습 + +### 바이브코딩 환경에서 SBOM 생성하기 + +#### Node.js 프로젝트 + +```bash +# CycloneDX를 이용한 SBOM 생성 +npm install -g @cyclonedx/cyclonedx-npm +cyclonedx-npm --output-file sbom.json + +# 또는 syft 사용 +syft dir:. -o cyclonedx-json > sbom.json +``` + +#### Python 프로젝트 + +```bash +# CycloneDX를 이용한 SBOM 생성 +pip install cyclonedx-bom +cyclonedx-py requirements -i requirements.txt -o sbom.json --format json + +# 또는 syft 사용 +syft dir:. -o cyclonedx-json > sbom.json +``` + +#### SBOM 검증 + +```bash +# SBOM 내용 확인 +cat sbom.json | python -m json.tool | head -50 + +# grype를 이용한 보안취약점 스캔 +grype sbom:sbom.json +``` + +> **TIP** +> CI/CD 파이프라인에 SBOM 생성과 취약점 스캔을 통합하면 자동으로 공급망 보안을 관리할 수 있습니다. +> ```yaml +> # GitHub Actions 예시 +> - name: Generate SBOM +> run: cyclonedx-npm --output-file sbom.json +> - name: Scan vulnerabilities +> run: grype sbom:sbom.json --fail-on high +> ``` + +--- + +*출처: SW 공급망 보안 가이드라인 v1.0 (2024.05, 국가정보원·과학기술정보통신부·디지털플랫폼정부위원회·한국인터넷진흥원)* +*KESE KIT 스타일로 재구성: constitution.md 규칙 적용* diff --git "a/authorkit/new pdf/ai\352\270\260\353\263\270\353\262\225/1._260126_\355\210\254\353\252\205\354\204\261_\355\231\225\353\263\264_\352\260\200\354\235\264\353\223\234\353\235\274\354\235\270_\354\265\234\354\242\205\353\263\270(1.22._\352\263\265\352\260\234\354\232\251)_\354\210\230\354\240\225\353\263\270.pdf" "b/authorkit/new pdf/ai\352\270\260\353\263\270\353\262\225/1._260126_\355\210\254\353\252\205\354\204\261_\355\231\225\353\263\264_\352\260\200\354\235\264\353\223\234\353\235\274\354\235\270_\354\265\234\354\242\205\353\263\270(1.22._\352\263\265\352\260\234\354\232\251)_\354\210\230\354\240\225\353\263\270.pdf" new file mode 100644 index 0000000..c2f2728 Binary files /dev/null and "b/authorkit/new pdf/ai\352\270\260\353\263\270\353\262\225/1._260126_\355\210\254\353\252\205\354\204\261_\355\231\225\353\263\264_\352\260\200\354\235\264\353\223\234\353\235\274\354\235\270_\354\265\234\354\242\205\353\263\270(1.22._\352\263\265\352\260\234\354\232\251)_\354\210\230\354\240\225\353\263\270.pdf" differ diff --git "a/authorkit/new pdf/ai\352\270\260\353\263\270\353\262\225/2._260122_\354\235\270\352\263\265\354\247\200\353\212\245_\354\225\210\354\240\204\354\204\261_\355\231\225\353\263\264_\352\260\200\354\235\264\353\223\234\353\235\274\354\235\270[1].pdf" "b/authorkit/new pdf/ai\352\270\260\353\263\270\353\262\225/2._260122_\354\235\270\352\263\265\354\247\200\353\212\245_\354\225\210\354\240\204\354\204\261_\355\231\225\353\263\264_\352\260\200\354\235\264\353\223\234\353\235\274\354\235\270[1].pdf" new file mode 100644 index 0000000..7b2990f Binary files /dev/null and "b/authorkit/new pdf/ai\352\270\260\353\263\270\353\262\225/2._260122_\354\235\270\352\263\265\354\247\200\353\212\245_\354\225\210\354\240\204\354\204\261_\355\231\225\353\263\264_\352\260\200\354\235\264\353\223\234\353\235\274\354\235\270[1].pdf" differ diff --git "a/authorkit/new pdf/ai\352\270\260\353\263\270\353\262\225/3._260213_\352\263\240\354\230\201\355\226\245_\354\235\270\352\263\265\354\247\200\353\212\245_\355\214\220\353\213\250_\352\260\200\354\235\264\353\223\234\353\235\274\354\235\270_\354\265\234\354\242\205_v.4.pdf" "b/authorkit/new pdf/ai\352\270\260\353\263\270\353\262\225/3._260213_\352\263\240\354\230\201\355\226\245_\354\235\270\352\263\265\354\247\200\353\212\245_\355\214\220\353\213\250_\352\260\200\354\235\264\353\223\234\353\235\274\354\235\270_\354\265\234\354\242\205_v.4.pdf" new file mode 100644 index 0000000..fba093f Binary files /dev/null and "b/authorkit/new pdf/ai\352\270\260\353\263\270\353\262\225/3._260213_\352\263\240\354\230\201\355\226\245_\354\235\270\352\263\265\354\247\200\353\212\245_\355\214\220\353\213\250_\352\260\200\354\235\264\353\223\234\353\235\274\354\235\270_\354\265\234\354\242\205_v.4.pdf" differ diff --git "a/authorkit/new pdf/ai\352\270\260\353\263\270\353\262\225/4._260122_\352\263\240\354\230\201\355\226\245_\354\235\270\352\263\265\354\247\200\353\212\245_\354\202\254\354\227\205\354\236\220_\354\261\205\353\254\264_\352\260\200\354\235\264\353\223\234\353\235\274\354\235\270-1[1].pdf" "b/authorkit/new pdf/ai\352\270\260\353\263\270\353\262\225/4._260122_\352\263\240\354\230\201\355\226\245_\354\235\270\352\263\265\354\247\200\353\212\245_\354\202\254\354\227\205\354\236\220_\354\261\205\353\254\264_\352\260\200\354\235\264\353\223\234\353\235\274\354\235\270-1[1].pdf" new file mode 100644 index 0000000..a8d0964 Binary files /dev/null and "b/authorkit/new pdf/ai\352\270\260\353\263\270\353\262\225/4._260122_\352\263\240\354\230\201\355\226\245_\354\235\270\352\263\265\354\247\200\353\212\245_\354\202\254\354\227\205\354\236\220_\354\261\205\353\254\264_\352\260\200\354\235\264\353\223\234\353\235\274\354\235\270-1[1].pdf" differ diff --git "a/authorkit/new pdf/ai\352\270\260\353\263\270\353\262\225/5._260122_\354\235\270\352\263\265\354\247\200\353\212\245_\354\230\201\355\226\245\355\217\211\352\260\200_\352\260\200\354\235\264\353\223\234\353\235\274\354\235\270[1].pdf" "b/authorkit/new pdf/ai\352\270\260\353\263\270\353\262\225/5._260122_\354\235\270\352\263\265\354\247\200\353\212\245_\354\230\201\355\226\245\355\217\211\352\260\200_\352\260\200\354\235\264\353\223\234\353\235\274\354\235\270[1].pdf" new file mode 100644 index 0000000..622c016 Binary files /dev/null and "b/authorkit/new pdf/ai\352\270\260\353\263\270\353\262\225/5._260122_\354\235\270\352\263\265\354\247\200\353\212\245_\354\230\201\355\226\245\355\217\211\352\260\200_\352\260\200\354\235\264\353\223\234\353\235\274\354\235\270[1].pdf" differ diff --git a/authorkit/references/ref-016/analysis.md b/authorkit/references/ref-016/analysis.md new file mode 100644 index 0000000..7e38e9f --- /dev/null +++ b/authorkit/references/ref-016/analysis.md @@ -0,0 +1,105 @@ +# ref-016: SW 공급망 보안 가이드라인 (요약본) — 분석 결과 + +> **역할**: 요약본 (정책 결정자·경영진 대상) +> **파일**: `240513-(요약본)_SW_공급망_보안_가이드라인.pdf` +> **발행**: 국가정보원, 과학기술정보통신부, 디지털플랫폼정부위원회, 한국인터넷진흥원 (2024.05) +> **분량**: 22페이지 | 18,376자 | 4,456단어 | 이미지 21개 + +--- + +## 1. 구조 (목차) + +| 장 | 절 | 제목 | 페이지 | +|---|---|------|-------| +| 제1장 | | 추진배경 | p.5 | +| | | 환경변화 | p.5 | +| | | SW 공급망 보안 필요성 | p.5 | +| | | 주요국 정책동향 | p.6 | +| | | 시사점 | p.6 | +| 제2장 | | SW 공급망 위험관리 방안 | p.7 | +| | 제1절 | 공급망 사이버보안 위험관리 체계 구축 방안 | p.7 | +| | | 공급망 사이버보안 위험관리 개요 (C-SCRM) | p.7 | +| | | 공급망 사이버보안 위험관리 활동 | p.7 | +| | | SW 개발·운영 환경의 공급망 보안 체계 구축 방안 | p.8 | +| | | 안전한 SW 개발 체계의 활용 (SSDF) | p.9 | +| | 제2절 | SW 구성요소의 신뢰성 확보 방안 | p.9 | +| | | SW 구성요소 명세서 (SBOM) | p.9 | +| | | SBOM 최소요건 | p.10 | +| | | SBOM 활용 | p.10 | +| | | SBOM의 효과성 | p.12 | +| | | 참고: 국내외 SBOM 표준화 현황 | p.13 | +| 제3장 | | SBOM 기반 SW 공급망 강화 방안 | p.14 | +| | 제1절 | SW 공급망 위험관리를 위한 SBOM 확산 | p.14 | +| | 제2절 | SBOM 기반 SW 공급망 보안 실증 | p.16 | +| | 제3절 | SW 보안취약점 점검 지원 테스트베드 | p.18 | +| | 제4절 | SBOM 기반 SW 공급망 보안 발전 제언 | p.19 | + +총 22개 섹션 감지 + +--- + +## 2. 그림/표 목록 + +| # | 위치 | 설명 | +|---|------|------| +| 1 | p.6 | 주요국 정책동향 다이어그램 | +| 2 | p.8 | 다단계 전사적 위험관리(C-SCRM) 개요도 | +| 3 | p.8 | 공급망 참여자(개발사·공급사·운영사) 역할 구성도 | +| 4 | p.10 | SBOM 최소요건 구조도 | +| 5 | p.11 | CycloneDX 포맷 보안취약점 연계 예시 | +| 6 | p.11 | NVD 보안취약점(CVE) 조회 화면 | +| 7 | p.12 | SBOM 효과성 다이어그램 | +| 8 | p.14 | 내·외부 SW 활용 및 SW 공급망 예시 | +| 9 | p.15 | SW 개발 생명주기에 따른 SBOM 관리 체계 구성 방안 | +| 10 | p.15 | 산업별 거점을 활용한 SW 공급망 위험관리 구성도 | +| 11 | p.16 | SBOM 실증 개요 | +| 12 | p.18 | 테스트베드 시설 안내 | + +--- + +## 3. 핵심 개념 / 용어 + +| 용어 | 정의/설명 | +|------|-----------| +| SW 공급망 | 최종 SW 제품을 생산하는 사람, 장치, 시스템의 집합. 코드 작성부터 사용자 실행까지의 모든 과정 | +| SBOM (SW Bill of Materials) | SW 구성요소 명세서. SW에 포함된 구성요소를 목록화하여 투명성·신뢰성을 확보하는 도구 | +| C-SCRM | Cybersecurity Supply Chain Risk Management. 공급망 전체에서 사이버보안 위험을 관리하는 체계적 프로세스 | +| SSDF | Secure Software Development Framework (NIST SP 800-218). 안전한 SW 개발체계 | +| SDLC | SW 개발 생명주기 (Software Development Life Cycle) | +| SCA | Software Composition Analysis. SW 구성요소 분석 기술 | +| SPDX | Software Package Data Exchange. 리눅스재단 주도 SBOM 표준 (ISO/IEC 5962) | +| CycloneDX | OWASP 주도 공급망 보안 관리용 SBOM 표준 | +| SWID | Software Identification. 미국 상무부 지원 SW 자산/보안 관리 표준 (ISO/IEC 19770-2) | +| CVE | Common Vulnerabilities Exposures. 공개적으로 알려진 보안 결함 목록 | +| CVSS | Common Vulnerabilities Scoring System. 보안취약점 위험도 점수 (0.0~10.0) | +| KEV | Known Exploited Vulnerability. 악용 사례가 알려진 보안취약점 | +| NVD | National Vulnerability Database. 미국 보안취약점 데이터베이스 | +| NIS-SBOM | 국가정보원 제안 SBOM 기본항목 (20개 항목) | +| ESF | Enduring Security Framework. CISA·NSA 참여 민관 파트너십 | +| EO 14028 | 바이든 행정부 행정명령 (2021.5). 연방정부 납품 SW의 SBOM 제출 의무화 | +| CRA | Cyber Resilience Act. EU 사이버 복원력 법 | + +--- + +## 4. 분량 분석 + +| 장 | 페이지 범위 | 비중 | +|---|-----------|------| +| 서문/목차 | p.1~4 | 15% | +| 제1장 추진배경 | p.5~6 | 10% | +| 제2장 SW 공급망 위험관리 방안 | p.7~13 | 35% | +| 제3장 SBOM 기반 SW 공급망 강화 방안 | p.14~19 | 30% | +| 판권/부록 | p.20~22 | 10% | + +--- + +## 5. 이슈 / 특이사항 + +| # | 유형 | 설명 | +|---|------|------| +| 1 | 관계 | 전체본(ref-017)의 축약본. 전체본 제2장 제3절의 SBOM 내용을 분리하여 별도 장으로 재구성 | +| 2 | 대상 독자 | 정책 결정자 및 기업 경영진 (개념 중심, 세부사항은 전체본 참고) | +| 3 | 사례 | SolarWinds(2020), Log4Shell(2021), Kaseya(2022) 공급망 공격 사례 수록 | +| 4 | 제도 참조 | 미국 EO 14028, OMB M-22-18, EU CRA 등 해외 제도 동향 | +| 5 | 실증 | 의료·보안 분야 SW 3종 대상 SBOM 생성·검증 실증 사례 포함 | +| 6 | 시설 | 기업지원허브(판교), 디지털헬스케어 보안 리빙랩(원주), 기술공유실(판교) 안내 | diff --git a/authorkit/references/ref-017/analysis.md b/authorkit/references/ref-017/analysis.md new file mode 100644 index 0000000..209e6f2 --- /dev/null +++ b/authorkit/references/ref-017/analysis.md @@ -0,0 +1,227 @@ +# ref-017: SW 공급망 보안 가이드라인 (전체본) — 분석 결과 + +> **역할**: 전체본 (실무 담당자·개발자 대상) +> **파일**: `240525-(전체본)_SW_공급망_보안_가이드라인_최종 수정본.pdf` +> **발행**: 국가정보원, 과학기술정보통신부, 디지털플랫폼정부위원회, 한국인터넷진흥원 (2024.05) +> **분량**: 100페이지 | 86,640자 | 21,263단어 | 이미지 88개 + +--- + +## 1. 구조 (목차) + +| 장 | 절 | 제목 | 페이지 | +|---|---|------|-------| +| **제1장** | | **SW 공급망 보안 국제동향 및 SBOM 활용사례** | p.10 | +| | 제1절 | 환경변화 | p.12 | +| | | 1. [변화-1] 초연결 사회의 도래 | p.12 | +| | | 2. [변화-2] SW 부품 공급의 분업화 | p.13 | +| | | 3. [변화-3] 공개 SW 사용의 확대 | p.14 | +| | 제2절 | SW 공급망 위기 대응의 필요성 | p.15 | +| | | 1. SW 공급망 공격 대응의 문제 | p.15 | +| | | 2. SW 공급망 침해사고의 피해 규모 | p.16 | +| | | 3. 공개 SW 사이버보안 관리의 중요성 | p.17 | +| | | 4. SW 공급망 공격의 주요 유형 및 대상 | p.19 | +| | 제3절 | 주요국 SW 공급망 보안 정책 동향 | p.24 | +| | | 1. 미국 | p.24 | +| | | 2. 유럽연합(EU) | p.26 | +| | | 3. 일본 | p.27 | +| | | 4. Quad 사이버보안 파트너십 | p.28 | +| | | 5. 시사점 | p.29 | +| **제2장** | | **SW 공급망 위험관리 방안** | p.30 | +| | 제1절 | 안전한 SW 개발환경의 필요성 | p.31 | +| | | 1. 공급망의 사이버보안 위험관리 개요 (C-SCRM) | p.31 | +| | | 2. SW 개발·운영 환경의 공급망 보안체계 구축 방안 | p.34 | +| | 제2절 | SW 구성요소의 신뢰성 확보 방안 | p.42 | +| | | 1. SBOM이란? | p.42 | +| | | 2. SBOM의 필요성 및 효과성 | p.43 | +| | | 3. SBOM 최소 요건 | p.45 | +| | | 4. SW 보안취약점 및 라이선스 관리방안 | p.48 | +| | 제3절 | SBOM 기반 SW 공급망 보안 강화 방안 | p.55 | +| | | 1. SW 위험관리를 위한 SBOM 기반 확산 | p.55 | +| **제3장** | | **SBOM 기반 SW 공급망 보안 실증사례** | p.60 | +| | 제1절 | SBOM 생성·활용 실증사례 | p.61 | +| | | 1. 실증 개요 | p.61 | +| | | 2. SBOM 생성 과정에서 SBOM 유효성 검증 | p.62 | +| | | 3. SBOM 도구를 활용한 컴포넌트 관리사례 | p.64 | +| | | 4. SBOM을 활용한 보안취약점 탐지 및 조치 | p.67 | +| | 제2절 | SW 공급망 보안 관리체계 점검 실증사례 | p.69 | +| | 제3절 | 자가 점검용 SW 공급망 단계별 체크리스트 | p.71 | +| **제4장** | | **SBOM 기반 SW 공급망 보안 활성화 지원** | p.74 | +| | 제1절 | SW 보안취약점 점검 지원 테스트베드 | p.75 | +| | | 1. 기업지원허브(판교) | p.75 | +| | | 2. 디지털헬스케어 보안 리빙랩(원주) | p.77 | +| | | 3. 국가사이버안보협력센터 기술공유실(판교) | p.81 | +| | 제2절 | SW 공급망 보안을 위한 SBOM 개발 | p.87 | +| | | 1. 국내 SBOM 표준 사례 | p.87 | +| | | 2. 국가정보원 제안 SBOM 기본항목 | p.89 | +| | 제3절 | SBOM 기반 SW 공급망 보안 발전 제언 | p.95 | +| **제5장** | | **맺음말** | p.97 | + +총 92개 헤딩 감지 + +--- + +## 2. 그림/표 목록 + +### 그림 (31개) + +| # | 제목 | 페이지 | +|---|------|-------| +| 그림 1 | 공급망 생태계 기본 모형 | p.12 | +| 그림 2 | 전통적인 공급망과 SW 공급망 비교 | p.13 | +| 그림 3 | 2024년도 사이버보안 위협분석과 전망 리포트[KISA] | p.14 | +| 그림 4 | 공개 SW 사용률 분석(OSSRA Report 2023) | p.18 | +| 그림 5 | EU 사이버 복원력 법안 개정 주요 내용 | p.26 | +| 그림 6 | 공급망 전반의 사이버보안 위험 예시 | p.32 | +| 그림 7 | 다단계 전사적 위험관리(C-SCRM) 개요 | p.33 | +| 그림 8 | SW 공급망 참여자에 따른 보안 활동 | p.34 | +| 그림 9 | SW 공급망 보안 개발 프로세스 | p.35 | +| 그림 10 | NShiftKey 보안 체크 화면 | p.41 | +| 그림 11 | SBOM 활용의 효과성 | p.43 | +| 그림 12 | SBOM 도입 효과성 분석 | p.44 | +| 그림 13 | SBOM에 연계된 보안취약점 정보 예시(CycloneDX 포맷) | p.48 | +| 그림 14 | NVD를 통한 알려진 보안취약점(CVE) 조회 화면 | p.49 | +| 그림 15 | 기본 점수에 따른 악용 가능성 분석 예시(CVSS Calculator) | p.50 | +| 그림 16 | NVD 보안취약점의 조치방안(Log4j 예시) | p.50 | +| 그림 17 | 공개 SW 라이선스 분류 | p.51 | +| 그림 18 | SBOM 라이선스 탐지 예시(SPDX 포맷) | p.53 | +| 그림 19 | SW 공급망과 내·외부 SW 유형 예시 | p.55 | +| 그림 20 | SW 개발 생명주기에 따른 SBOM 구성 방안(개발사) | p.56 | +| 그림 21 | 산업별 거점을 활용한 SW 위험관리 구성도 | p.57 | +| 그림 22 | SW 공급망 관리센터 체계도 | p.58 | +| 그림 23 | SBOM 생성·공급(유통) 체계도 | p.59 | +| 그림 24 | SBOM 기반 공급망 보안 관리 실증 절차 | p.61 | +| 그림 25 | 소스코드에서 검출된 컴포넌트 리스트(예시) | p.65 | +| 그림 26 | SBOM을 활용한 보안취약점 탐지(예시) | p.67 | +| 그림 27 | 보안취약점데이터베이스 검색 결과(예시) | p.68 | +| 그림 28 | 기업지원허브 IoT 기기 사이버보안 위협 시연시설 | p.75 | +| 그림 29 | 디지털헬스케어 보안리빙랩 구성도 | p.78 | +| 그림 30 | 디지털헬스케어 보안리빙랩 현장 | p.79 | +| 그림 31 | NIS-SBOM 적용 SW 컴포넌트별 출력 예시 | p.93 | + +### 표 (35개) + +| # | 제목 | 페이지 | +|---|------|-------| +| 표 1 | 국내외 SW 공급망 침해사고의 피해 규모 | p.16 | +| 표 2 | 주요 SW 공급망 공격 유형 | p.19 | +| 표 3 | 유형별 SW 공급망 공격 대상 및 침투 경로 | p.20 | +| 표 4 | 미국의 SW 공급망 보안 추진경과 | p.25 | +| 표 5 | 경제산업성이 공개한 SBOM 실증 로드맵(2022.05) | p.27 | +| 표 6 | Quad 사이버보안 파트너십 요약 | p.28 | +| 표 7 | 이해관계자의 역할에 따른 주요 C-SCRM 활동 예시 | p.33 | +| 표 8 | 개발사를 위한 공급망 보안 권장 활동 | p.36 | +| 표 9 | 공급사를 위한 공급망 보안 권장 활동 | p.37 | +| 표 10 | 운영사를 위한 공급망 보안 권장 활동 | p.37 | +| 표 11 | SW 개발 생명주기(SDLC) 단계별 개념 정의 | p.40 | +| 표 12 | SSDF 구현을 위한 공급망 보안 권장 활동 | p.40 | +| 표 13 | SBOM과 기타 BOM 명세서와 비교 | p.42 | +| 표 14 | 데이터 필드의 기본항목 | p.45 | +| 표 15 | SBOM 표준간 데이터 속성 비교 | p.46 | +| 표 16 | 공개 SW 라이선스 관리 범위(예시) | p.52 | +| 표 17 | 실증 추진계획 수립 | p.61 | +| 표 18 | SBOM 유효성 검증 단계에서 데이터 누락·중복 사례 | p.63 | +| 표 19 | SW 제품 형태별 SBOM 생성 후 컴포넌트 수 비교 – 기업 B | p.65 | +| 표 20 | SW 제품 형태별 SBOM 생성 후 컴포넌트 수 비교 – 기업 A | p.66 | +| 표 21 | SW 공급망 보안 점검 실증 항목 일부 | p.69 | +| 표 22 | SW 공급망 보안 점검 상세 결과 | p.70 | +| 표 23 | SW 공급망 보안 점검 결과 미흡 사례 | p.70 | +| 표 24 | 공급망 보안 단계별 체크리스트(안) | p.71 | +| 표 25 | SBOM 생성 도구 현황 및 주요 특징(요약) | p.76 | +| 표 26 | 연도별 기업지원허브(IoT 테스트베드) 이용 현황 | p.77 | +| 표 27 | 보안취약점 점검도구 현황 | p.79 | +| 표 28 | 분석 도구 지원 사양 | p.81 | +| 표 29 | 분석 도구 주요 특징 | p.82 | +| 표 30 | SBOM 기반 공급망 보안 테스트베드 주요 동작 방식 | p.83 | +| 표 31 | 공급망 보안 테스트베드 활용 분석 결과 | p.85 | +| 표 32 | SW 공급망 보안 관리 체계 시나리오 | p.86 | +| 표 33 | SBOM 관련 국내외 표준 현황 | p.87 | +| 표 34 | 정보통신 단체표준 SBOM 속성 규격 | p.88 | +| 표 35 | NIS-SBOM 구성항목 | p.90 | + +--- + +## 3. 핵심 개념 / 용어 + +| 용어 | 정의/설명 | +|------|-----------| +| SW 공급망 | 최종 SW 제품을 생산하는 사람, 장치, 시스템의 집합. 코드 작성~사용자 실행까지의 전 과정 | +| SBOM (SW Bill of Materials) | SW 구성요소 명세서. SW에 포함된 모든 구성요소를 종속성 트리 구조로 목록화 | +| C-SCRM | Cybersecurity Supply Chain Risk Management. 공급망 사이버보안 위험관리 (NIST 800-161r1) | +| SSDF | Secure Software Development Framework (NIST SP 800-218). 안전한 SW 개발체계 | +| ESF | Enduring Security Framework. CISA·NSA 참여 주요 인프라 보안 민관 파트너십 | +| SDLC | SW 개발 생명주기 (Software Development Life Cycle) | +| SCA | Software Composition Analysis. SW 구성요소 분석 도구 | +| SPDX | Software Package Data Exchange. 리눅스재단 SBOM 표준 (ISO/IEC 5962) | +| CycloneDX | OWASP 주도 공급망 보안 관리용 SBOM 표준 | +| SWID | Software Identification Tag. SW 자산관리 표준 (ISO/IEC 19770-2) | +| CVE | Common Vulnerabilities Exposures. 공개 보안 결함 목록 | +| CVSS | Common Vulnerabilities Scoring System. 보안취약점 위험도 (0.0~10.0) | +| KEV | Known Exploited Vulnerability. 악용 사례가 알려진 보안취약점 (CISA) | +| NVD | National Vulnerability Database. 미국 국가 보안취약점 데이터베이스 | +| NIS-SBOM | 국가정보원 제안 SBOM 기본항목 (20개). 간소화·취약점 연동·위험관리 효율화 목표 | +| NShiftKey | 국산 공급망 보안 관리 도구. 보안 체크 기능 제공 | +| EO 14028 | 바이든 행정부 사이버보안 행정명령 (2021.5). SBOM 제출 의무화 | +| OMB M-22-18 | 행정 부서 및 기관장을 위한 SW 공급망 보안 강화 각서 (2022.9) | +| CRA | EU Cyber Resilience Act. 디지털기기 SBOM 제출 의무화 (2026 하반기 시행 예상) | +| Quad 사이버보안 파트너십 | 미국·호주·일본·인도 4개국 사이버보안 협력 | +| OSSRA | Open Source Security and Risk Analysis. Synopsys 공개 SW 사용률 분석 보고서 | +| TTAK.KO-11.0309 | 국내 SBOM 단체표준 (정보통신기술협회, 2022.12) | +| 자체증명서 (Self-attestation) | SSDF 준수를 법적으로 입증하는 절차 | + +--- + +## 4. 분량 분석 + +| 장 | 페이지 범위 | 분량 | 비중 | +|---|-----------|------|------| +| 서문/목차 | p.1~9 | 9p | 9% | +| 제1장 추진배경·국제동향 | p.10~29 | 20p | 20% | +| 제2장 SW 공급망 위험관리 방안 | p.30~59 | 30p | **30%** | +| 제3장 SBOM 실증사례 | p.60~73 | 14p | 14% | +| 제4장 활성화 지원 | p.74~96 | 23p | **23%** | +| 제5장 맺음말 | p.97~100 | 4p | 4% | + +> 핵심 비중: 제2장(위험관리 방안) 30% + 제4장(활성화 지원) 23% = 전체의 53% + +--- + +## 5. SW 공급망 공격 유형 (7가지) + +본 가이드라인에서 식별한 SW 공급망 공격의 주요 유형: + +| # | 유형 | 설명 | +|---|------|------| +| 1 | 공개 SW 보안취약점 | 공개 SW에 존재하는 취약점 악용 | +| 2 | 타사 의존성 | 제3자 개발 라이브러리·모듈의 취약점 | +| 3 | 공용 리포지토리 | npm, PyPI 등 패키지 저장소를 통한 악성코드 배포 | +| 4 | 변환 시스템 | 빌드·CI/CD 파이프라인 침해 | +| 5 | 업데이트 가로채기 | 정상 업데이트 경로를 탈취하여 악성코드 배포 | +| 6 | 내부 리포지토리 | 기업 내부 코드 저장소 침해 | +| 7 | 공급사 및 협력사 | 신뢰된 공급업체를 경유한 침투 | + +--- + +## 6. 주요 사고 사례 + +| 사례 | 시기 | 피해 | +|------|------|------| +| SolarWinds | 2020 | IT SW 공급사 해킹, 18,000개 이상 기관 피해 | +| Log4Shell (Log4j) | 2021 | 제로데이 취약점 악용, 전 세계 취약 서버 대상 대량 공격 | +| Kaseya | 2022 | IT 원격관리 솔루션 해킹, 17개국 1,500여 조직 피해 | +| Codecov | 2021 | 인증정보 유출, 2차 공격 파급 규모 측정 불가 | + +--- + +## 7. 이슈 / 특이사항 + +| # | 유형 | 설명 | +|---|------|------| +| 1 | 관계 | 요약본(ref-016)의 원본. 요약본은 제2장 제3절 SBOM 내용을 분리하여 재구성 | +| 2 | 실증 | 의료·보안 분야 국산 SW 3종(소스코드+바이너리) 대상 SBOM 생성·검증 실증 | +| 3 | 체크리스트 | 자가 점검용 SW 공급망 단계별 보안 체크리스트 제공 (표 24) | +| 4 | NIS-SBOM | 국가정보원 제안 20개 기본항목 (기존 NTIA 7개 대비 확장) | +| 5 | 테스트베드 | 판교 기업지원허브, 원주 디지털헬스케어 리빙랩, 판교 기술공유실 3곳 안내 | +| 6 | 도구 비교 | SBOM 생성 도구(공개 SW + 상용) 특징 비교 및 교차 검증 필요성 강조 | +| 7 | 제도 전망 | EU CRA 2026 하반기 시행, 미국 자체증명서 제출 의무화 등 | +| 8 | 라이선스 | SBOM을 통한 공개 SW 라이선스 관리 방안 별도 설명 (표 16, 그림 17~18) | diff --git a/authorkit/structure.md b/authorkit/structure.md index fa1963b..2f1f439 100644 --- a/authorkit/structure.md +++ b/authorkit/structure.md @@ -173,77 +173,85 @@ - 22-2. 결과 수집 및 리포팅 - 22-3. CI/CD 파이프라인 연동 +#### 23장. SW 공급망 보안 (ref-016, ref-017 기반) +- 23-1. SW 공급망 보안 개요 (환경변화, 공격 사례, 7가지 공격 유형, 주요국 동향) +- 23-2. SW 공급망 위험관리 체계 (C-SCRM, 참여자 역할, SSDF) +- 23-3. SBOM의 이해와 활용 (정의, 최소요건, 표준, 취약점·라이선스 관리) +- 23-4. SBOM 기반 공급망 보안 체계 구축 (관리 체계, 유효성 검증, NIS-SBOM) +- 23-5. 자가 점검 체크리스트 (설계/개발/공급/운영/유지보수 29개 항목) +- 23-6. 지원 인프라 및 발전 방향 (테스트베드, 표준, 제언) + --- ### Part V. AI 보안 점검 (ref-003 기반) -#### 23장. AI 보안 개요 -- 23-1. AI 보안 위협 유형 (적대적 예제, 오염 공격, 모델 추출 등) -- 23-2. AI 보안 안내서의 적용범위 -- 23-3. AI 서비스 생명주기와 보안 프레임워크 - -#### 24장. AI 개발자를 위한 보안 점검 -- 24-1. 계획 및 설계 — 거버넌스, 위험관리 (1.1~1.2) -- 24-2. 데이터 수집 및 준비 — 수집/전처리, 무결성, 라벨링 (2.1~2.3) -- 24-3. 모델 개발 — 학습환경, 알고리즘, 오픈소스, 개발환경 (3.1~3.4) -- 24-4. 모델 배포 — 배포보안, API보안 (4.1~4.2) -- 24-5. 모니터링 및 유지보수 — 운영보안, 사후관리 (5.1~5.2) -- 24-6. 파기 — 파기 시 보안 (6.1) - -#### 25장. AI 서비스 제공자를 위한 보안 점검 -- 25-1. 서비스 제공자 보안 프레임워크 -- 25-2. Generative AI 서비스 보안 요구사항 -- 25-3. Predictive AI 서비스 보안 요구사항 -- 25-4. 사용자 피드백 및 개선 과정 보안 - -#### 26장. AI 이용자를 위한 보안 수칙 -- 26-1. AI 이용자 대상 보안위협 사례 -- 26-2. AI 서비스 이용 시 보안 수칙 -- 26-3. 바이브코딩 환경에서의 AI 보안 +#### 24장. AI 보안 개요 +- 24-1. AI 보안 위협 유형 (적대적 예제, 오염 공격, 모델 추출 등) +- 24-2. AI 보안 안내서의 적용범위 +- 24-3. AI 서비스 생명주기와 보안 프레임워크 + +#### 25장. AI 개발자를 위한 보안 점검 +- 25-1. 계획 및 설계 — 거버넌스, 위험관리 (1.1~1.2) +- 25-2. 데이터 수집 및 준비 — 수집/전처리, 무결성, 라벨링 (2.1~2.3) +- 25-3. 모델 개발 — 학습환경, 알고리즘, 오픈소스, 개발환경 (3.1~3.4) +- 25-4. 모델 배포 — 배포보안, API보안 (4.1~4.2) +- 25-5. 모니터링 및 유지보수 — 운영보안, 사후관리 (5.1~5.2) +- 25-6. 파기 — 파기 시 보안 (6.1) + +#### 26장. AI 서비스 제공자를 위한 보안 점검 +- 26-1. 서비스 제공자 보안 프레임워크 +- 26-2. Generative AI 서비스 보안 요구사항 +- 26-3. Predictive AI 서비스 보안 요구사항 +- 26-4. 사용자 피드백 및 개선 과정 보안 + +#### 27장. AI 이용자를 위한 보안 수칙 +- 27-1. AI 이용자 대상 보안위협 사례 +- 27-2. AI 서비스 이용 시 보안 수칙 +- 27-3. 바이브코딩 환경에서의 AI 보안 --- ### Part VI. 시큐어코딩 가이드 (ref-011, ref-012 기반) -#### 27장. 시큐어코딩 개요 -- 27-1. 시큐어코딩이란? -- 27-2. 7개 보안약점 카테고리 이해 -- 27-3. CWE 매핑 체계 -- 27-4. JavaScript vs Python 공통/차이 항목 비교 - -#### 28장. 입력데이터 검증 및 표현 -- 28-1. SQL 삽입 (CWE-89) — JS: Sequelize/Mongoose, Py: Django ORM/SQLAlchemy -- 28-2. 코드 삽입 (CWE-94, 95) — JS: eval(), Py: exec()/eval() -- 28-3. 경로 조작 및 자원 삽입 (CWE-22, 99) -- 28-4. 크로스사이트 스크립트 XSS (CWE-79) -- 28-5. 운영체제 명령어 삽입 (CWE-78) -- 28-6. 파일 업로드 / URL 리다이렉트 / XXE / XML 삽입 / LDAP -- 28-7. CSRF (CWE-352) / SSRF (CWE-918) -- 28-8. [Python만] HTTP 응답분할, 정수형 오버플로우, 포맷 스트링 - -#### 29장. 보안기능 -- 29-1. 인증 및 인가 (CWE-306, 285, 732) -- 29-2. 암호화 — 알고리즘, 키 길이, 난수 (CWE-327, 326, 330) -- 29-3. 중요정보 보호 — 하드코딩, 평문 저장/전송 (CWE-259, 312, 319) -- 29-4. 패스워드 / 전자서명 / 인증서 (CWE-521, 347, 295) -- 29-5. 쿠키, 주석문, 솔트, 무결성, 인증 제한 (CWE-539, 615, 759, 494, 307) - -#### 30장. 시간/상태, 에러처리, 코드오류 -- 30-1. TOCTOU 경쟁조건 (CWE-367) — Python -- 30-2. 무한 반복/재귀 (CWE-835, 674) -- 30-3. 오류 메시지 정보노출 (CWE-209) / 오류 대응 부재 (CWE-390) -- 30-4. Null Pointer (CWE-476) / 자원 해제 (CWE-404) -- 30-5. 역직렬화 (CWE-502) — JS: JSON, Py: pickle - -#### 31장. 캡슐화, API 오용 -- 31-1. 세션 데이터 노출 / 디버그 코드 (CWE-488, 489) -- 31-2. Private 배열 보호 (CWE-495, 496) -- 31-3. DNS lookup 의존 / 취약한 API (CWE-350) - -#### 32장. 바이브코딩 환경의 시큐어코딩 -- 32-1. AI 도구가 생성하는 코드의 보안 취약점 패턴 -- 32-2. Claude/Cursor/Copilot에 시큐어코딩 프롬프트 적용하기 -- 32-3. 코드 리뷰 자동화와 CWE 기반 점검 +#### 28장. 시큐어코딩 개요 +- 28-1. 시큐어코딩이란? +- 28-2. 7개 보안약점 카테고리 이해 +- 28-3. CWE 매핑 체계 +- 28-4. JavaScript vs Python 공통/차이 항목 비교 + +#### 29장. 입력데이터 검증 및 표현 +- 29-1. SQL 삽입 (CWE-89) — JS: Sequelize/Mongoose, Py: Django ORM/SQLAlchemy +- 29-2. 코드 삽입 (CWE-94, 95) — JS: eval(), Py: exec()/eval() +- 29-3. 경로 조작 및 자원 삽입 (CWE-22, 99) +- 29-4. 크로스사이트 스크립트 XSS (CWE-79) +- 29-5. 운영체제 명령어 삽입 (CWE-78) +- 29-6. 파일 업로드 / URL 리다이렉트 / XXE / XML 삽입 / LDAP +- 29-7. CSRF (CWE-352) / SSRF (CWE-918) +- 29-8. [Python만] HTTP 응답분할, 정수형 오버플로우, 포맷 스트링 + +#### 30장. 보안기능 +- 30-1. 인증 및 인가 (CWE-306, 285, 732) +- 30-2. 암호화 — 알고리즘, 키 길이, 난수 (CWE-327, 326, 330) +- 30-3. 중요정보 보호 — 하드코딩, 평문 저장/전송 (CWE-259, 312, 319) +- 30-4. 패스워드 / 전자서명 / 인증서 (CWE-521, 347, 295) +- 30-5. 쿠키, 주석문, 솔트, 무결성, 인증 제한 (CWE-539, 615, 759, 494, 307) + +#### 31장. 시간/상태, 에러처리, 코드오류 +- 31-1. TOCTOU 경쟁조건 (CWE-367) — Python +- 31-2. 무한 반복/재귀 (CWE-835, 674) +- 31-3. 오류 메시지 정보노출 (CWE-209) / 오류 대응 부재 (CWE-390) +- 31-4. Null Pointer (CWE-476) / 자원 해제 (CWE-404) +- 31-5. 역직렬화 (CWE-502) — JS: JSON, Py: pickle + +#### 32장. 캡슐화, API 오용 +- 32-1. 세션 데이터 노출 / 디버그 코드 (CWE-488, 489) +- 32-2. Private 배열 보호 (CWE-495, 496) +- 32-3. DNS lookup 의존 / 취약한 API (CWE-350) + +#### 33장. 바이브코딩 환경의 시큐어코딩 +- 33-1. AI 도구가 생성하는 코드의 보안 취약점 패턴 +- 33-2. Claude/Cursor/Copilot에 시큐어코딩 프롬프트 적용하기 +- 33-3. 코드 리뷰 자동화와 CWE 기반 점검 --- @@ -277,11 +285,11 @@ | Part I. 기초 이해 | 2장 | 30~40 | | Part II. 기술적 취약점 | 10장 | 250~300 | | Part III. 관리적·물리적 | 7장 | 100~120 | -| Part IV. 실무 적용 | 3장 | 50~60 | +| Part IV. 실무 적용 | **4장** | **80~100** | | Part V. AI 보안 점검 | 4장 | 80~100 | | Part VI. 시큐어코딩 가이드 | 6장 | 120~150 | | 부록 | 4개 | 40~50 | -| **합계** | **32장** | **670~820** | +| **합계** | **33장** | **700~860** | --- @@ -295,4 +303,4 @@ --- -*최종 업데이트: 2026-04-02 (ref-011/012 시큐어코딩 가이드 추가, Part VI 신설)* +*최종 업데이트: 2026-04-08 (ref-016/017 SW 공급망 보안 가이드라인 추가, 23장 신설)* diff --git a/docs/README.ar.md b/docs/README.ar.md index a2a95a6..14ccb25 100644 --- a/docs/README.ar.md +++ b/docs/README.ar.md @@ -4,7 +4,7 @@ # KESE - KISA Enhanced Security Evaluation Kit -اضافة لـ Claude Code لتقييم الثغرات الامنية في البنى التحتية الحيوية للمعلومات (CII) وتقييم امن الذكاء الاصطناعي وامن الروبوتات وامن الفضاء ودليل البرمجة الامنة وتقييم امن الثقة الصفرية (Zero Trust)، استنادا الى ارشادات وكالة الانترنت والامن الكورية (KISA). +اضافة لـ Claude Code لتقييم الثغرات الامنية في البنى التحتية الحيوية للمعلومات (CII) وتقييم امن الذكاء الاصطناعي وامن الروبوتات وامن الفضاء ودليل البرمجة الامنة وتقييم امن الثقة الصفرية (Zero Trust) وأمن سلسلة توريد البرمجيات (SBOM)، استنادا الى ارشادات وكالة الانترنت والامن الكورية (KISA). --- @@ -16,10 +16,10 @@ KESE (KISA Enhanced Security Evaluation Kit) هي اضافة لـ Claude Code ت | المهارة | الوصف | |---------|-------| -| `/kesekit-start` | تشغيل تقييم شامل للثغرات الامنية (CII اكثر من 560 / امن الذكاء الاصطناعي / امن الروبوتات / امن الفضاء / البرمجة الامنة / الثقة الصفرية) | -| `/kesekit-check` | قائمة فحص الامتثال الامني قبل النشر (CII / الذكاء الاصطناعي / الروبوتات / الفضاء / البرمجة الامنة / الثقة الصفرية) | -| `/kesekit-fix` | انشاء تلقائي لنصوص التقوية والاصلاحات الامنية (CII / الذكاء الاصطناعي / الروبوتات / الفضاء / البرمجة الامنة / الثقة الصفرية) | -| `/kesekit-guide` | انشاء موجهات البرمجة الامنة لادوات الذكاء الاصطناعي (CII / الذكاء الاصطناعي / الروبوتات / الفضاء / JS·Python·عام / الثقة الصفرية) | +| `/kesekit-start` | تشغيل تقييم شامل للثغرات الامنية (CII اكثر من 560 / امن الذكاء الاصطناعي / امن الروبوتات / امن الفضاء / البرمجة الامنة / الثقة الصفرية / سلسلة توريد البرمجيات) | +| `/kesekit-check` | قائمة فحص الامتثال الامني قبل النشر (CII / الذكاء الاصطناعي / الروبوتات / الفضاء / البرمجة الامنة / الثقة الصفرية / سلسلة توريد البرمجيات) | +| `/kesekit-fix` | انشاء تلقائي لنصوص التقوية والاصلاحات الامنية (CII / الذكاء الاصطناعي / الروبوتات / الفضاء / البرمجة الامنة / الثقة الصفرية / سلسلة توريد البرمجيات) | +| `/kesekit-guide` | انشاء موجهات البرمجة الامنة لادوات الذكاء الاصطناعي (CII / الذكاء الاصطناعي / الروبوتات / الفضاء / JS·Python·عام / الثقة الصفرية / سلسلة توريد البرمجيات) | ## الارشادات المدعومة @@ -129,6 +129,16 @@ KESE (KISA Enhanced Security Evaluation Kit) هي اضافة لـ Claude Code ت الفئة المستهدفة: المؤسسات التي تتبنى الثقة الصفرية، بيئات OT/ICS، المؤسسات المهاجرة الى السحابة، مسؤولو تقييم نضج الامن +### 7. أمن سلسلة توريد البرمجيات (SBOM) — 29 عنصرا + +| المرحلة | الرمز | العناصر | المعيار المرجعي | +|---------|-------|:-------:|----------------| +| التصميم | SC-01~05 | 5 | NIST SP 800-161r1 | +| التطوير | SC-06~16 | 11 | NIST SP 800-218 | +| التوريد/التوزيع | SC-17~19 | 3 | NTIA SBOM | +| النشر والتشغيل | SC-20~26 | 7 | NIS-SBOM | +| الصيانة | SC-27~29 | 3 | NIS-SBOM | + ## التثبيت ``` diff --git a/docs/README.de.md b/docs/README.de.md index 59cfa3f..ee1abf4 100644 --- a/docs/README.de.md +++ b/docs/README.de.md @@ -4,7 +4,7 @@ # KESE - KISA Enhanced Security Evaluation Kit -Ein Claude Code-Plugin zur Schwachstellenanalyse und -bewertung kritischer Informationsinfrastrukturen (CII), KI-Sicherheitsbewertung, Roboter-Sicherheitspruefung, Weltraum-Sicherheitspruefung, Secure-Coding-Leitfaden und Zero-Trust-Sicherheitsbewertung. +Ein Claude Code-Plugin zur Schwachstellenanalyse und -bewertung kritischer Informationsinfrastrukturen (CII), KI-Sicherheitsbewertung, Roboter-Sicherheitspruefung, Weltraum-Sicherheitspruefung, Secure-Coding-Leitfaden, Zero-Trust-Sicherheitsbewertung und SW-Lieferkettensicherheit (SBOM). --- @@ -16,10 +16,10 @@ KESE (KISA Enhanced Security Evaluation Kit) ist ein Claude Code-Plugin, das umf | Skill | Beschreibung | |-------|--------------| -| `/kesekit-start` | Vollstaendige Sicherheits-Schwachstellenbewertung ausfuehren (CII 560+ / KI-Sicherheit / Roboter-Sicherheit / Weltraum-Sicherheit / Secure Coding / Zero Trust) | -| `/kesekit-check` | Sicherheits-Compliance-Checkliste vor der Bereitstellung (CII / KI / Roboter / Weltraum / Secure Coding / Zero Trust) | -| `/kesekit-fix` | Automatische Generierung von Haertungsskripten und Sicherheitskorrekturen (CII / KI / Roboter / Weltraum / Secure Coding / Zero Trust) | -| `/kesekit-guide` | Sichere Coding-Prompts fuer KI-Werkzeuge generieren (CII / KI / Roboter / Weltraum / JS·Python·Generisch / Zero Trust) | +| `/kesekit-start` | Vollstaendige Sicherheits-Schwachstellenbewertung ausfuehren (CII 560+ / KI-Sicherheit / Roboter-Sicherheit / Weltraum-Sicherheit / Secure Coding / Zero Trust / SW-Lieferkette) | +| `/kesekit-check` | Sicherheits-Compliance-Checkliste vor der Bereitstellung (CII / KI / Roboter / Weltraum / Secure Coding / Zero Trust / SW-Lieferkette) | +| `/kesekit-fix` | Automatische Generierung von Haertungsskripten und Sicherheitskorrekturen (CII / KI / Roboter / Weltraum / Secure Coding / Zero Trust / SW-Lieferkette) | +| `/kesekit-guide` | Sichere Coding-Prompts fuer KI-Werkzeuge generieren (CII / KI / Roboter / Weltraum / JS·Python·Generisch / Zero Trust / SW-Lieferkette) | ## Unterstuetzte Richtlinien @@ -129,6 +129,16 @@ Zielgruppe: JavaScript/Python-Webentwickler, KI-Tool-Nutzer (Claude, Cursor, Cop Zielgruppe: Unternehmen mit Zero-Trust-Einfuehrung, OT/ICS-Umgebungen, Cloud-Migrationsorganisationen, Verantwortliche fuer Sicherheitsreifegradbeurteilung +### 7. SW-Lieferkettensicherheit (SBOM) — 29 Elemente + +| Phase | Code | Elemente | Referenzstandards | +|-------|------|:--------:|-------------------| +| Entwurf | SC-01~05 | 5 | NIST SP 800-161r1 | +| Entwicklung | SC-06~16 | 11 | NIST SP 800-218 | +| Lieferung/Verteilung | SC-17~19 | 3 | NTIA SBOM | +| Bereitstellung und Betrieb | SC-20~26 | 7 | NIS-SBOM | +| Wartung | SC-27~29 | 3 | NIS-SBOM | + ## Installation ``` diff --git a/docs/README.es.md b/docs/README.es.md index 708dde6..a9eebe3 100644 --- a/docs/README.es.md +++ b/docs/README.es.md @@ -4,7 +4,7 @@ # KESE - KISA Enhanced Security Evaluation Kit -Plugin de Claude Code para el analisis y evaluacion de vulnerabilidades en Infraestructuras Criticas de Informacion (CII), evaluacion de seguridad de IA, inspeccion de seguridad de robots, inspeccion de seguridad espacial, guia de codificacion segura y evaluacion de seguridad Zero Trust. +Plugin de Claude Code para el analisis y evaluacion de vulnerabilidades en Infraestructuras Criticas de Informacion (CII), evaluacion de seguridad de IA, inspeccion de seguridad de robots, inspeccion de seguridad espacial, guia de codificacion segura, evaluacion de seguridad Zero Trust y seguridad de la cadena de suministro SW (SBOM). --- @@ -16,10 +16,10 @@ KESE (KISA Enhanced Security Evaluation Kit) es un plugin de Claude Code que ofr | Skill | Descripcion | |-------|-------------| -| `/kesekit-start` | Ejecutar evaluacion completa de vulnerabilidades de seguridad (CII 560+ / Seguridad IA / Seguridad de robots / Seguridad espacial / Codificacion segura / Zero Trust) | -| `/kesekit-check` | Lista de verificacion de cumplimiento de seguridad previo al despliegue (CII / IA / Robots / Espacio / Codificacion segura / Zero Trust) | -| `/kesekit-fix` | Generacion automatica de scripts de hardening y correcciones de seguridad (CII / IA / Robots / Espacio / Codificacion segura / Zero Trust) | -| `/kesekit-guide` | Generar prompts de codificacion segura para herramientas de IA (CII / IA / Robots / Espacio / JS·Python·Generico / Zero Trust) | +| `/kesekit-start` | Ejecutar evaluacion completa de vulnerabilidades de seguridad (CII 560+ / Seguridad IA / Seguridad de robots / Seguridad espacial / Codificacion segura / Zero Trust / Cadena de suministro SW) | +| `/kesekit-check` | Lista de verificacion de cumplimiento de seguridad previo al despliegue (CII / IA / Robots / Espacio / Codificacion segura / Zero Trust / Cadena de suministro SW) | +| `/kesekit-fix` | Generacion automatica de scripts de hardening y correcciones de seguridad (CII / IA / Robots / Espacio / Codificacion segura / Zero Trust / Cadena de suministro SW) | +| `/kesekit-guide` | Generar prompts de codificacion segura para herramientas de IA (CII / IA / Robots / Espacio / JS·Python·Generico / Zero Trust / Cadena de suministro SW) | ## Directrices soportadas @@ -129,6 +129,16 @@ Destinatarios: desarrolladores web JavaScript/Python, usuarios de herramientas I Destinatarios: empresas que adoptan Zero Trust, entornos OT/ICS, organizaciones en migracion a la nube, responsables de evaluacion de madurez de seguridad +### 7. Seguridad de la cadena de suministro SW (SBOM) — 29 elementos + +| Fase | Codigo | Elementos | Estandares de referencia | +|------|--------|:---------:|--------------------------| +| Diseno | SC-01~05 | 5 | NIST SP 800-161r1 | +| Desarrollo | SC-06~16 | 11 | NIST SP 800-218 | +| Suministro/Distribucion | SC-17~19 | 3 | NTIA SBOM | +| Despliegue y operaciones | SC-20~26 | 7 | NIS-SBOM | +| Mantenimiento | SC-27~29 | 3 | NIS-SBOM | + ## Instalacion ``` diff --git a/docs/README.fr.md b/docs/README.fr.md index bdd5f14..d4e3421 100644 --- a/docs/README.fr.md +++ b/docs/README.fr.md @@ -4,7 +4,7 @@ # KESE - KISA Enhanced Security Evaluation Kit -Plugin Claude Code pour l'analyse des vulnerabilites des infrastructures d'information critiques (CII), l'evaluation de la securite de l'IA, l'inspection de securite des robots, l'inspection de securite spatiale, le guide de codage securise et l'evaluation de securite Zero Trust. +Plugin Claude Code pour l'analyse des vulnerabilites des infrastructures d'information critiques (CII), l'evaluation de la securite de l'IA, l'inspection de securite des robots, l'inspection de securite spatiale, le guide de codage securise, l'evaluation de securite Zero Trust et la securite de la chaine d'approvisionnement SW (SBOM). --- @@ -16,10 +16,10 @@ KESE (KISA Enhanced Security Evaluation Kit) est un plugin Claude Code qui fourn | Skill | Description | |-------|-------------| -| `/kesekit-start` | Executer une evaluation complete des vulnerabilites de securite (CII 560+ / Securite IA / Securite des robots / Securite spatiale / Codage securise / Zero Trust) | -| `/kesekit-check` | Checklist de conformite securite avant deploiement (CII / IA / Robots / Espace / Codage securise / Zero Trust) | -| `/kesekit-fix` | Generation automatique de scripts de durcissement et de correctifs de securite (CII / IA / Robots / Espace / Codage securise / Zero Trust) | -| `/kesekit-guide` | Generer des prompts de codage securise pour les outils d'IA (CII / IA / Robots / Espace / JS·Python·Generique / Zero Trust) | +| `/kesekit-start` | Executer une evaluation complete des vulnerabilites de securite (CII 560+ / Securite IA / Securite des robots / Securite spatiale / Codage securise / Zero Trust / Chaine d'approvisionnement SW) | +| `/kesekit-check` | Checklist de conformite securite avant deploiement (CII / IA / Robots / Espace / Codage securise / Zero Trust / Chaine d'approvisionnement SW) | +| `/kesekit-fix` | Generation automatique de scripts de durcissement et de correctifs de securite (CII / IA / Robots / Espace / Codage securise / Zero Trust / Chaine d'approvisionnement SW) | +| `/kesekit-guide` | Generer des prompts de codage securise pour les outils d'IA (CII / IA / Robots / Espace / JS·Python·Generique / Zero Trust / Chaine d'approvisionnement SW) | ## Directives prises en charge @@ -129,6 +129,16 @@ Cible : developpeurs web JavaScript/Python, utilisateurs d'outils IA (Claude, Cu Cible : entreprises adoptant le Zero Trust, environnements OT/ICS, organisations en migration cloud, responsables de l'evaluation de la maturite de securite +### 7. Securite de la chaine d'approvisionnement SW (SBOM) — 29 elements + +| Phase | Code | Elements | Normes de reference | +|-------|------|:--------:|---------------------| +| Conception | SC-01~05 | 5 | NIST SP 800-161r1 | +| Developpement | SC-06~16 | 11 | NIST SP 800-218 | +| Fourniture/Distribution | SC-17~19 | 3 | NTIA SBOM | +| Deploiement et exploitation | SC-20~26 | 7 | NIS-SBOM | +| Maintenance | SC-27~29 | 3 | NIS-SBOM | + ## Installation ``` diff --git a/docs/README.hi.md b/docs/README.hi.md index bd8c671..721786a 100644 --- a/docs/README.hi.md +++ b/docs/README.hi.md @@ -4,7 +4,7 @@ # KESE - KISA Enhanced Security Evaluation Kit -प्रमुख सूचना एवं संचार अवसंरचना (CII) की कमजोरी विश्लेषण-मूल्यांकन, AI सुरक्षा मूल्यांकन, रोबोट सुरक्षा, अंतरिक्ष सुरक्षा, सुरक्षित कोडिंग गाइड और जीरो ट्रस्ट सुरक्षा मूल्यांकन के लिए Claude Code स्किल प्लगइन। +प्रमुख सूचना एवं संचार अवसंरचना (CII) की कमजोरी विश्लेषण-मूल्यांकन, AI सुरक्षा मूल्यांकन, रोबोट सुरक्षा, अंतरिक्ष सुरक्षा, सुरक्षित कोडिंग गाइड, जीरो ट्रस्ट सुरक्षा मूल्यांकन और SW आपूर्ति श्रृंखला सुरक्षा (SBOM) के लिए Claude Code स्किल प्लगइन। --- @@ -16,10 +16,10 @@ KESE (KISA Enhanced Security Evaluation Kit) एक Claude Code प्लगइ | स्किल | विवरण | |-------|-------| -| `/kesekit-start` | पूर्ण सुरक्षा कमजोरी मूल्यांकन चलाएँ (CII 560+ / AI सुरक्षा / रोबोट सुरक्षा / अंतरिक्ष सुरक्षा / सुरक्षित कोडिंग / जीरो ट्रस्ट) | -| `/kesekit-check` | तैनाती-पूर्व सुरक्षा अनुपालन चेकलिस्ट (CII / AI / रोबोट / अंतरिक्ष / सुरक्षित कोडिंग / जीरो ट्रस्ट) | -| `/kesekit-fix` | हार्डनिंग स्क्रिप्ट और सुरक्षा सुधार स्वचालित रूप से तैयार करें (CII / AI / रोबोट / अंतरिक्ष / सुरक्षित कोडिंग / जीरो ट्रस्ट) | -| `/kesekit-guide` | AI उपकरणों के लिए सुरक्षित कोडिंग प्रॉम्प्ट तैयार करें (CII / AI / रोबोट / अंतरिक्ष / JS·Python·सामान्य / जीरो ट्रस्ट) | +| `/kesekit-start` | पूर्ण सुरक्षा कमजोरी मूल्यांकन चलाएँ (CII 560+ / AI सुरक्षा / रोबोट सुरक्षा / अंतरिक्ष सुरक्षा / सुरक्षित कोडिंग / जीरो ट्रस्ट / SW आपूर्ति श्रृंखला) | +| `/kesekit-check` | तैनाती-पूर्व सुरक्षा अनुपालन चेकलिस्ट (CII / AI / रोबोट / अंतरिक्ष / सुरक्षित कोडिंग / जीरो ट्रस्ट / SW आपूर्ति श्रृंखला) | +| `/kesekit-fix` | हार्डनिंग स्क्रिप्ट और सुरक्षा सुधार स्वचालित रूप से तैयार करें (CII / AI / रोबोट / अंतरिक्ष / सुरक्षित कोडिंग / जीरो ट्रस्ट / SW आपूर्ति श्रृंखला) | +| `/kesekit-guide` | AI उपकरणों के लिए सुरक्षित कोडिंग प्रॉम्प्ट तैयार करें (CII / AI / रोबोट / अंतरिक्ष / JS·Python·सामान्य / जीरो ट्रस्ट / SW आपूर्ति श्रृंखला) | ## समर्थित दिशानिर्देश @@ -129,6 +129,16 @@ KESE (KISA Enhanced Security Evaluation Kit) एक Claude Code प्लगइ लक्षित समूह: जीरो ट्रस्ट अपनाने वाले उद्यम, OT/ICS वातावरण, क्लाउड माइग्रेशन संगठन, सुरक्षा परिपक्वता मूल्यांकन प्रभारी +### 7. SW आपूर्ति श्रृंखला सुरक्षा (SBOM) — 29 आइटम + +| चरण | कोड | आइटम | मानक | +|------|------|:-----:|------| +| डिज़ाइन | SC-01~05 | 5 | NIST SP 800-161r1 | +| विकास | SC-06~16 | 11 | NIST SP 800-218 | +| आपूर्ति/वितरण | SC-17~19 | 3 | NTIA SBOM | +| तैनाती एवं संचालन | SC-20~26 | 7 | NIS-SBOM | +| रखरखाव | SC-27~29 | 3 | NIS-SBOM | + ## स्थापना ``` diff --git a/docs/README.id.md b/docs/README.id.md index 10a4ffb..e3602a6 100644 --- a/docs/README.id.md +++ b/docs/README.id.md @@ -4,7 +4,7 @@ # KESE - KISA Enhanced Security Evaluation Kit -Plugin Claude Code untuk analisis dan evaluasi kerentanan Infrastruktur Informasi Kritis (CII), evaluasi keamanan AI, keamanan robot, keamanan ruang angkasa, panduan secure coding, dan evaluasi Zero Trust berdasarkan pedoman KISA (Badan Internet dan Keamanan Korea). +Plugin Claude Code untuk analisis dan evaluasi kerentanan Infrastruktur Informasi Kritis (CII), evaluasi keamanan AI, keamanan robot, keamanan ruang angkasa, panduan secure coding, evaluasi Zero Trust, dan Keamanan Rantai Pasokan SW (SBOM) berdasarkan pedoman KISA (Badan Internet dan Keamanan Korea). --- @@ -16,10 +16,10 @@ KESE (KISA Enhanced Security Evaluation Kit) adalah plugin Claude Code yang meny | Skill | Deskripsi | |-------|-----------| -| `/kesekit-start` | Menjalankan penilaian kerentanan keamanan lengkap (CII 560+ / AI / Robot / Ruang Angkasa / Secure Coding / Zero Trust) | -| `/kesekit-check` | Daftar periksa kepatuhan keamanan sebelum deployment (CII / AI / Robot / Ruang Angkasa / Secure Coding / Zero Trust) | -| `/kesekit-fix` | Menghasilkan skrip hardening dan perbaikan keamanan secara otomatis (CII / AI / Robot / Ruang Angkasa / Secure Coding / Zero Trust) | -| `/kesekit-guide` | Membuat prompt secure coding untuk alat AI (CII / AI / Robot / Ruang Angkasa / JS·Python·Umum / Zero Trust) | +| `/kesekit-start` | Menjalankan penilaian kerentanan keamanan lengkap (CII 560+ / AI / Robot / Ruang Angkasa / Secure Coding / Zero Trust / Rantai Pasokan SW) | +| `/kesekit-check` | Daftar periksa kepatuhan keamanan sebelum deployment (CII / AI / Robot / Ruang Angkasa / Secure Coding / Zero Trust / Rantai Pasokan SW) | +| `/kesekit-fix` | Menghasilkan skrip hardening dan perbaikan keamanan secara otomatis (CII / AI / Robot / Ruang Angkasa / Secure Coding / Zero Trust / Rantai Pasokan SW) | +| `/kesekit-guide` | Membuat prompt secure coding untuk alat AI (CII / AI / Robot / Ruang Angkasa / JS·Python·Umum / Zero Trust / Rantai Pasokan SW) | ## Pedoman yang Didukung @@ -129,6 +129,16 @@ Target: Pengembang web JavaScript/Python, Pengguna alat AI (Claude, Cursor, Copi Target: Organisasi yang mengadopsi Zero Trust, Lingkungan OT/ICS, Organisasi yang bermigrasi ke cloud, Penilai kematangan keamanan +### 7. Keamanan Rantai Pasokan SW (SBOM) — 29 item + +| Fase | Kode | Jumlah Item | Standar | +|------|------|:----------:|---------| +| Desain | SC-01~05 | 5 | NIST SP 800-161r1 | +| Pengembangan | SC-06~16 | 11 | NIST SP 800-218 | +| Pasokan/Distribusi | SC-17~19 | 3 | NTIA SBOM | +| Deployment & Operasi | SC-20~26 | 7 | NIS-SBOM | +| Pemeliharaan | SC-27~29 | 3 | NIS-SBOM | + ## Instalasi ``` diff --git a/docs/README.it.md b/docs/README.it.md index d9eea54..604ffdd 100644 --- a/docs/README.it.md +++ b/docs/README.it.md @@ -4,7 +4,7 @@ # KESE - KISA Enhanced Security Evaluation Kit -Plugin per Claude Code dedicato alla valutazione delle vulnerabilita delle Infrastrutture Critiche Informatiche (CII), alla valutazione della sicurezza dell'IA, alla sicurezza robotica, alla sicurezza spaziale, alla guida alla codifica sicura e alla valutazione della sicurezza Zero Trust, basato sulle linee guida della KISA (Agenzia Coreana per Internet e la Sicurezza). +Plugin per Claude Code dedicato alla valutazione delle vulnerabilita delle Infrastrutture Critiche Informatiche (CII), alla valutazione della sicurezza dell'IA, alla sicurezza robotica, alla sicurezza spaziale, alla guida alla codifica sicura, alla valutazione della sicurezza Zero Trust e alla sicurezza della catena di fornitura SW (SBOM), basato sulle linee guida della KISA (Agenzia Coreana per Internet e la Sicurezza). --- @@ -16,10 +16,10 @@ KESE (KISA Enhanced Security Evaluation Kit) e un plugin per Claude Code che for | Skill | Descrizione | |-------|-------------| -| `/kesekit-start` | Eseguire la valutazione completa delle vulnerabilita di sicurezza (CII 560+ / Sicurezza IA / Sicurezza Robotica / Sicurezza Spaziale / Codifica Sicura / Zero Trust) | -| `/kesekit-check` | Checklist di conformita di sicurezza pre-distribuzione (CII / IA / Robot / Spazio / Codifica Sicura / Zero Trust) | -| `/kesekit-fix` | Generare automaticamente script di hardening e correzioni di sicurezza (CII / IA / Robot / Spazio / Codifica Sicura / Zero Trust) | -| `/kesekit-guide` | Generare prompt di codifica sicura per strumenti di IA (CII / IA / Robot / Spazio / JS·Python·Generico / Zero Trust) | +| `/kesekit-start` | Eseguire la valutazione completa delle vulnerabilita di sicurezza (CII 560+ / Sicurezza IA / Sicurezza Robotica / Sicurezza Spaziale / Codifica Sicura / Zero Trust / Catena di fornitura SW) | +| `/kesekit-check` | Checklist di conformita di sicurezza pre-distribuzione (CII / IA / Robot / Spazio / Codifica Sicura / Zero Trust / Catena di fornitura SW) | +| `/kesekit-fix` | Generare automaticamente script di hardening e correzioni di sicurezza (CII / IA / Robot / Spazio / Codifica Sicura / Zero Trust / Catena di fornitura SW) | +| `/kesekit-guide` | Generare prompt di codifica sicura per strumenti di IA (CII / IA / Robot / Spazio / JS·Python·Generico / Zero Trust / Catena di fornitura SW) | ## Linee Guida Supportate @@ -129,6 +129,16 @@ Destinatari: Sviluppatori web JavaScript/Python, utenti di strumenti IA (Claude, Destinatari: Aziende che adottano Zero Trust, ambienti OT/ICS, organizzazioni in migrazione cloud, responsabili della valutazione della maturita della sicurezza +### 7. Sicurezza della catena di fornitura SW (SBOM) — 29 elementi + +| Fase | Codice | Elementi | Standard di Riferimento | +|------|--------|:--------:|------------------------| +| Progettazione | SC-01~05 | 5 | NIST SP 800-161r1 | +| Sviluppo | SC-06~16 | 11 | NIST SP 800-218 | +| Fornitura/Distribuzione | SC-17~19 | 3 | NTIA SBOM | +| Distribuzione e operazioni | SC-20~26 | 7 | NIS-SBOM | +| Manutenzione | SC-27~29 | 3 | NIS-SBOM | + ## Installazione ``` diff --git a/docs/README.ja.md b/docs/README.ja.md index ce2df2e..aa6dd68 100644 --- a/docs/README.ja.md +++ b/docs/README.ja.md @@ -4,7 +4,7 @@ # KESE - KISA Enhanced Security Evaluation Kit -主要情報通信基盤施設(CII)の脆弱性分析評価、AIセキュリティ評価、ロボットセキュリティ点検、宇宙セキュリティ点検、セキュアコーディングガイド、ゼロトラストセキュリティ評価のためのClaude Codeスキルプラグインです。 +主要情報通信基盤施設(CII)の脆弱性分析評価、AIセキュリティ評価、ロボットセキュリティ点検、宇宙セキュリティ点検、セキュアコーディングガイド、ゼロトラストセキュリティ評価、SWサプライチェーンセキュリティ(SBOM)のためのClaude Codeスキルプラグインです。 --- @@ -16,10 +16,10 @@ KESE(KISA Enhanced Security Evaluation Kit)は、KISA(韓国インター | スキル | 説明 | |--------|------| -| `/kesekit-start` | セキュリティ脆弱性の総合評価を実行(CII 560+ / AIセキュリティ / ロボットセキュリティ / 宇宙セキュリティ / セキュアコーディング / ゼロトラスト) | -| `/kesekit-check` | デプロイ前のセキュリティコンプライアンスチェックリスト(CII / AI / ロボット / 宇宙 / セキュアコーディング / ゼロトラスト) | -| `/kesekit-fix` | ハードニングスクリプトおよびセキュリティ修正の自動生成(CII / AI / ロボット / 宇宙 / セキュアコーディング / ゼロトラスト) | -| `/kesekit-guide` | AIツール向けセキュアコーディングプロンプトの生成(CII / AI / ロボット / 宇宙 / JS・Python・汎用 / ゼロトラスト) | +| `/kesekit-start` | セキュリティ脆弱性の総合評価を実行(CII 560+ / AIセキュリティ / ロボットセキュリティ / 宇宙セキュリティ / セキュアコーディング / ゼロトラスト / SWサプライチェーン) | +| `/kesekit-check` | デプロイ前のセキュリティコンプライアンスチェックリスト(CII / AI / ロボット / 宇宙 / セキュアコーディング / ゼロトラスト / SWサプライチェーン) | +| `/kesekit-fix` | ハードニングスクリプトおよびセキュリティ修正の自動生成(CII / AI / ロボット / 宇宙 / セキュアコーディング / ゼロトラスト / SWサプライチェーン) | +| `/kesekit-guide` | AIツール向けセキュアコーディングプロンプトの生成(CII / AI / ロボット / 宇宙 / JS・Python・汎用 / ゼロトラスト / SWサプライチェーン) | ## 対応ガイドライン @@ -129,6 +129,16 @@ KESE(KISA Enhanced Security Evaluation Kit)は、KISA(韓国インター 対象:ゼロトラスト導入企業、OT/ICS環境、クラウド移行組織、セキュリティ成熟度評価担当者 +### 7. SWサプライチェーンセキュリティ(SBOM) — 29項目 + +| フェーズ | コード | 項目数 | 参照規格 | +|----------|--------|:------:|----------| +| 設計 | SC-01~05 | 5 | NIST SP 800-161r1 | +| 開発 | SC-06~16 | 11 | NIST SP 800-218 | +| 供給・配布 | SC-17~19 | 3 | NTIA SBOM | +| デプロイ・運用 | SC-20~26 | 7 | NIS-SBOM | +| 保守 | SC-27~29 | 3 | NIS-SBOM | + ## インストール ``` diff --git a/docs/README.nl.md b/docs/README.nl.md index ac79705..7d18207 100644 --- a/docs/README.nl.md +++ b/docs/README.nl.md @@ -4,7 +4,7 @@ # KESE - KISA Enhanced Security Evaluation Kit -Een Claude Code skill-plugin voor kwetsbaarheidsanalyse van kritieke informatie-infrastructuur (CII), AI-beveiligingsevaluatie, robotbeveiliging, ruimtevaartbeveiliging, secure coding en Zero Trust-evaluatie. +Een Claude Code skill-plugin voor kwetsbaarheidsanalyse van kritieke informatie-infrastructuur (CII), AI-beveiligingsevaluatie, robotbeveiliging, ruimtevaartbeveiliging, secure coding, Zero Trust-evaluatie en SW-toeleveringsketenbeveiliging (SBOM). --- @@ -16,10 +16,10 @@ KESE (KISA Enhanced Security Evaluation Kit) is een Claude Code-plugin die uitge | Skill | Beschrijving | |-------|-------------| -| `/kesekit-start` | Volledige beveiligingskwetsbaarheidsanalyse uitvoeren (CII 560+ / AI / Robot / Ruimtevaart / Secure Coding / Zero Trust) | -| `/kesekit-check` | Beveiligingschecklist voor compliance voor implementatie (CII / AI / Robot / Ruimtevaart / Secure Coding / Zero Trust) | -| `/kesekit-fix` | Automatisch hardening-scripts en beveiligingsoplossingen genereren (CII / AI / Robot / Ruimtevaart / Secure Coding / Zero Trust) | -| `/kesekit-guide` | Secure coding-prompts genereren voor AI-tools (CII / AI / Robot / Ruimtevaart / JS·Python·Algemeen / Zero Trust) | +| `/kesekit-start` | Volledige beveiligingskwetsbaarheidsanalyse uitvoeren (CII 560+ / AI / Robot / Ruimtevaart / Secure Coding / Zero Trust / SW-toeleveringsketen) | +| `/kesekit-check` | Beveiligingschecklist voor compliance voor implementatie (CII / AI / Robot / Ruimtevaart / Secure Coding / Zero Trust / SW-toeleveringsketen) | +| `/kesekit-fix` | Automatisch hardening-scripts en beveiligingsoplossingen genereren (CII / AI / Robot / Ruimtevaart / Secure Coding / Zero Trust / SW-toeleveringsketen) | +| `/kesekit-guide` | Secure coding-prompts genereren voor AI-tools (CII / AI / Robot / Ruimtevaart / JS·Python·Algemeen / Zero Trust / SW-toeleveringsketen) | ## Ondersteunde richtlijnen @@ -129,6 +129,16 @@ Doelgroep: JavaScript/Python-webontwikkelaars, AI-toolgebruikers (Claude, Cursor Doelgroep: Organisaties die Zero Trust implementeren, OT/ICS-omgevingen, Organisaties die naar de cloud migreren, Verantwoordelijken voor beveiligingsvolwassenheidsevaluatie +### 7. SW-toeleveringsketenbeveiliging (SBOM) — 29 items + +| Fase | Code | Aantal items | Standaard | +|------|------|:------:|-----------| +| Ontwerp | SC-01~05 | 5 | NIST SP 800-161r1 | +| Ontwikkeling | SC-06~16 | 11 | NIST SP 800-218 | +| Levering/Distributie | SC-17~19 | 3 | NTIA SBOM | +| Implementatie & Beheer | SC-20~26 | 7 | NIS-SBOM | +| Onderhoud | SC-27~29 | 3 | NIS-SBOM | + ## Installatie ``` diff --git a/docs/README.pl.md b/docs/README.pl.md index d1df513..0e10e85 100644 --- a/docs/README.pl.md +++ b/docs/README.pl.md @@ -4,7 +4,7 @@ # KESE - KISA Enhanced Security Evaluation Kit -Wtyczka Claude Code do analizy i oceny podatnosci Krytycznej Infrastruktury Informacyjnej (CII), oceny bezpieczenstwa AI, bezpieczenstwa robotow, bezpieczenstwa kosmicznego, bezpiecznego kodowania oraz oceny Zero Trust zgodnie z wytycznymi KISA (Koreanska Agencja Internetu i Bezpieczenstwa). +Wtyczka Claude Code do analizy i oceny podatnosci Krytycznej Infrastruktury Informacyjnej (CII), oceny bezpieczenstwa AI, bezpieczenstwa robotow, bezpieczenstwa kosmicznego, bezpiecznego kodowania, oceny Zero Trust oraz Bezpieczenstwa lancucha dostaw SW (SBOM) zgodnie z wytycznymi KISA (Koreanska Agencja Internetu i Bezpieczenstwa). --- @@ -16,10 +16,10 @@ KESE (KISA Enhanced Security Evaluation Kit) to wtyczka Claude Code zapewniając | Umiejętność | Opis | |-------------|------| -| `/kesekit-start` | Uruchomienie pełnej oceny podatności bezpieczeństwa (CII 560+ / AI / Roboty / Kosmos / Bezpieczne kodowanie / Zero Trust) | -| `/kesekit-check` | Lista kontrolna zgodności bezpieczeństwa przed wdrożeniem (CII / AI / Roboty / Kosmos / Bezpieczne kodowanie / Zero Trust) | -| `/kesekit-fix` | Automatyczne generowanie skryptów utwardzających i poprawek bezpieczeństwa (CII / AI / Roboty / Kosmos / Bezpieczne kodowanie / Zero Trust) | -| `/kesekit-guide` | Generowanie promptów bezpiecznego kodowania dla narzędzi AI (CII / AI / Roboty / Kosmos / JS·Python·Ogólny / Zero Trust) | +| `/kesekit-start` | Uruchomienie pełnej oceny podatności bezpieczeństwa (CII 560+ / AI / Roboty / Kosmos / Bezpieczne kodowanie / Zero Trust / Łańcuch dostaw SW) | +| `/kesekit-check` | Lista kontrolna zgodności bezpieczeństwa przed wdrożeniem (CII / AI / Roboty / Kosmos / Bezpieczne kodowanie / Zero Trust / Łańcuch dostaw SW) | +| `/kesekit-fix` | Automatyczne generowanie skryptów utwardzających i poprawek bezpieczeństwa (CII / AI / Roboty / Kosmos / Bezpieczne kodowanie / Zero Trust / Łańcuch dostaw SW) | +| `/kesekit-guide` | Generowanie promptów bezpiecznego kodowania dla narzędzi AI (CII / AI / Roboty / Kosmos / JS·Python·Ogólny / Zero Trust / Łańcuch dostaw SW) | ## Obsługiwane wytyczne @@ -129,6 +129,16 @@ Cel: Programiści webowi JavaScript/Python, Użytkownicy narzędzi AI (Claude, C Cel: Organizacje wdrażające Zero Trust, Środowiska OT/ICS, Organizacje migrujące do chmury, Osoby odpowiedzialne za ocenę dojrzałości bezpieczeństwa +### 7. Bezpieczeństwo łańcucha dostaw SW (SBOM) — 29 pozycji + +| Faza | Kod | Liczba pozycji | Standard | +|------|-----|:-------------:|----------| +| Projektowanie | SC-01~05 | 5 | NIST SP 800-161r1 | +| Rozwój | SC-06~16 | 11 | NIST SP 800-218 | +| Dostawa/Dystrybucja | SC-17~19 | 3 | NTIA SBOM | +| Wdrożenie i eksploatacja | SC-20~26 | 7 | NIS-SBOM | +| Utrzymanie | SC-27~29 | 3 | NIS-SBOM | + ## Instalacja ``` diff --git a/docs/README.pt.md b/docs/README.pt.md index c8205ea..dfd213a 100644 --- a/docs/README.pt.md +++ b/docs/README.pt.md @@ -4,7 +4,7 @@ # KESE - KISA Enhanced Security Evaluation Kit -Plugin do Claude Code para avaliacao de vulnerabilidades em Infraestruturas Criticas de Informacao (CII), avaliacao de seguranca de IA, inspecao de seguranca de robos, inspecao de seguranca espacial, guia de codificacao segura e avaliacao de seguranca Zero Trust. +Plugin do Claude Code para avaliacao de vulnerabilidades em Infraestruturas Criticas de Informacao (CII), avaliacao de seguranca de IA, inspecao de seguranca de robos, inspecao de seguranca espacial, guia de codificacao segura, avaliacao de seguranca Zero Trust e seguranca da cadeia de suprimentos SW (SBOM). --- @@ -16,10 +16,10 @@ KESE (KISA Enhanced Security Evaluation Kit) e um plugin do Claude Code que ofer | Skill | Descricao | |-------|-----------| -| `/kesekit-start` | Executar avaliacao completa de vulnerabilidades de seguranca (CII 560+ / Seguranca de IA / Seguranca de robos / Seguranca espacial / Codificacao segura / Zero Trust) | -| `/kesekit-check` | Lista de verificacao de conformidade de seguranca pre-implantacao (CII / IA / Robos / Espaco / Codificacao segura / Zero Trust) | -| `/kesekit-fix` | Gerar automaticamente scripts de hardening e correcoes de seguranca (CII / IA / Robos / Espaco / Codificacao segura / Zero Trust) | -| `/kesekit-guide` | Gerar prompts de codificacao segura para ferramentas de IA (CII / IA / Robos / Espaco / JS·Python·Generico / Zero Trust) | +| `/kesekit-start` | Executar avaliacao completa de vulnerabilidades de seguranca (CII 560+ / Seguranca de IA / Seguranca de robos / Seguranca espacial / Codificacao segura / Zero Trust / Cadeia de suprimentos SW) | +| `/kesekit-check` | Lista de verificacao de conformidade de seguranca pre-implantacao (CII / IA / Robos / Espaco / Codificacao segura / Zero Trust / Cadeia de suprimentos SW) | +| `/kesekit-fix` | Gerar automaticamente scripts de hardening e correcoes de seguranca (CII / IA / Robos / Espaco / Codificacao segura / Zero Trust / Cadeia de suprimentos SW) | +| `/kesekit-guide` | Gerar prompts de codificacao segura para ferramentas de IA (CII / IA / Robos / Espaco / JS·Python·Generico / Zero Trust / Cadeia de suprimentos SW) | ## Diretrizes Suportadas @@ -129,6 +129,16 @@ Publico-alvo: desenvolvedores web JavaScript/Python, usuarios de ferramentas IA Publico-alvo: empresas adotando Zero Trust, ambientes OT/ICS, organizacoes em migracao para nuvem, responsaveis por avaliacao de maturidade de seguranca +### 7. Seguranca da cadeia de suprimentos SW (SBOM) — 29 itens + +| Fase | Codigo | Itens | Padroes de referencia | +|------|--------|:-----:|------------------------| +| Projeto | SC-01~05 | 5 | NIST SP 800-161r1 | +| Desenvolvimento | SC-06~16 | 11 | NIST SP 800-218 | +| Fornecimento/Distribuicao | SC-17~19 | 3 | NTIA SBOM | +| Implantacao e operacoes | SC-20~26 | 7 | NIS-SBOM | +| Manutencao | SC-27~29 | 3 | NIS-SBOM | + ## Instalacao ``` diff --git a/docs/README.ru.md b/docs/README.ru.md index 34bfef2..dba4c5a 100644 --- a/docs/README.ru.md +++ b/docs/README.ru.md @@ -4,7 +4,7 @@ # KESE - KISA Enhanced Security Evaluation Kit -Плагин Claude Code для анализа и оценки уязвимостей критической информационной инфраструктуры (CII), оценки безопасности ИИ, безопасности роботов, безопасности космических систем, руководства по безопасному кодированию и оценки безопасности Zero Trust. +Плагин Claude Code для анализа и оценки уязвимостей критической информационной инфраструктуры (CII), оценки безопасности ИИ, безопасности роботов, безопасности космических систем, руководства по безопасному кодированию, оценки безопасности Zero Trust и безопасности цепочки поставок ПО (SBOM). --- @@ -16,10 +16,10 @@ KESE (KISA Enhanced Security Evaluation Kit) — это плагин Claude Code | Навык | Описание | |-------|----------| -| `/kesekit-start` | Запуск полной оценки уязвимостей безопасности (CII 560+ / Безопасность ИИ / Безопасность роботов / Безопасность космических систем / Безопасное кодирование / Zero Trust) | -| `/kesekit-check` | Контрольный список соответствия безопасности перед развёртыванием (CII / ИИ / Роботы / Космос / Безопасное кодирование / Zero Trust) | -| `/kesekit-fix` | Автоматическая генерация скриптов усиления защиты и исправлений безопасности (CII / ИИ / Роботы / Космос / Безопасное кодирование / Zero Trust) | -| `/kesekit-guide` | Генерация промптов для безопасного кодирования с помощью ИИ-инструментов (CII / ИИ / Роботы / Космос / JS·Python·Общий / Zero Trust) | +| `/kesekit-start` | Запуск полной оценки уязвимостей безопасности (CII 560+ / Безопасность ИИ / Безопасность роботов / Безопасность космических систем / Безопасное кодирование / Zero Trust / Цепочка поставок ПО) | +| `/kesekit-check` | Контрольный список соответствия безопасности перед развёртыванием (CII / ИИ / Роботы / Космос / Безопасное кодирование / Zero Trust / Цепочка поставок ПО) | +| `/kesekit-fix` | Автоматическая генерация скриптов усиления защиты и исправлений безопасности (CII / ИИ / Роботы / Космос / Безопасное кодирование / Zero Trust / Цепочка поставок ПО) | +| `/kesekit-guide` | Генерация промптов для безопасного кодирования с помощью ИИ-инструментов (CII / ИИ / Роботы / Космос / JS·Python·Общий / Zero Trust / Цепочка поставок ПО) | ## Поддерживаемые руководства @@ -129,6 +129,16 @@ KESE (KISA Enhanced Security Evaluation Kit) — это плагин Claude Code Целевая аудитория: Организации, внедряющие Zero Trust, среды OT/ICS, организации с облачной миграцией, специалисты по оценке зрелости безопасности +### 7. Безопасность цепочки поставок ПО (SBOM) — 29 элементов + +| Фаза | Код | Элементы | Стандарт | +|------|-----|:--------:|----------| +| Проектирование | SC-01~05 | 5 | NIST SP 800-161r1 | +| Разработка | SC-06~16 | 11 | NIST SP 800-218 | +| Поставка/Распространение | SC-17~19 | 3 | NTIA SBOM | +| Развёртывание и эксплуатация | SC-20~26 | 7 | NIS-SBOM | +| Обслуживание | SC-27~29 | 3 | NIS-SBOM | + ## Установка ``` diff --git a/docs/README.sv.md b/docs/README.sv.md index e522b75..a5badaa 100644 --- a/docs/README.sv.md +++ b/docs/README.sv.md @@ -4,7 +4,7 @@ # KESE - KISA Enhanced Security Evaluation Kit -Ett Claude Code skill-plugin for sarbarhetsanalys av kritisk informationsinfrastruktur (CII), AI-sakerhetsutvardering, robotsakerhet, rymdsakerhet, saker kodning och Zero Trust-utvardering. +Ett Claude Code skill-plugin for sarbarhetsanalys av kritisk informationsinfrastruktur (CII), AI-sakerhetsutvardering, robotsakerhet, rymdsakerhet, saker kodning, Zero Trust-utvardering och SW-leveranskedjesakerhet (SBOM). --- @@ -16,10 +16,10 @@ KESE (KISA Enhanced Security Evaluation Kit) ar ett Claude Code-plugin som erbju | Skill | Beskrivning | |-------|-------------| -| `/kesekit-start` | Kor fullstandig sakerhetsarbarhetsanalys (CII 560+ / AI / Robot / Rymd / Saker kodning / Zero Trust) | -| `/kesekit-check` | Sakerhetschecklista for efterlevnad fore driftsattning (CII / AI / Robot / Rymd / Saker kodning / Zero Trust) | -| `/kesekit-fix` | Generera hardening-skript och sakerhetsatgarder automatiskt (CII / AI / Robot / Rymd / Saker kodning / Zero Trust) | -| `/kesekit-guide` | Generera secure coding-promptar for AI-verktyg (CII / AI / Robot / Rymd / JS·Python·Allman / Zero Trust) | +| `/kesekit-start` | Kor fullstandig sakerhetsarbarhetsanalys (CII 560+ / AI / Robot / Rymd / Saker kodning / Zero Trust / SW-leveranskedja) | +| `/kesekit-check` | Sakerhetschecklista for efterlevnad fore driftsattning (CII / AI / Robot / Rymd / Saker kodning / Zero Trust / SW-leveranskedja) | +| `/kesekit-fix` | Generera hardening-skript och sakerhetsatgarder automatiskt (CII / AI / Robot / Rymd / Saker kodning / Zero Trust / SW-leveranskedja) | +| `/kesekit-guide` | Generera secure coding-promptar for AI-verktyg (CII / AI / Robot / Rymd / JS·Python·Allman / Zero Trust / SW-leveranskedja) | ## Riktlinjer som stods @@ -129,6 +129,16 @@ Malgrupp: JavaScript/Python-webbutvecklare, AI-verktygsanvandare (Claude, Cursor Malgrupp: Organisationer som infor Zero Trust, OT/ICS-miljoer, Organisationer som migrerar till molnet, Ansvariga for sakerhetsmognadsbedomning +### 7. SW-leveranskedjesakerhet (SBOM) — 29 objekt + +| Fas | Kod | Antal objekt | Standard | +|-----|-----|:------:|----------| +| Design | SC-01~05 | 5 | NIST SP 800-161r1 | +| Utveckling | SC-06~16 | 11 | NIST SP 800-218 | +| Leverans/Distribution | SC-17~19 | 3 | NTIA SBOM | +| Driftsattning & Drift | SC-20~26 | 7 | NIS-SBOM | +| Underhall | SC-27~29 | 3 | NIS-SBOM | + ## Installation ``` diff --git a/docs/README.th.md b/docs/README.th.md index 99e2095..cbcb373 100644 --- a/docs/README.th.md +++ b/docs/README.th.md @@ -4,7 +4,7 @@ # KESE - KISA Enhanced Security Evaluation Kit -ปลั๊กอิน Claude Code สำหรับการวิเคราะห์และประเมินช่องโหว่ของโครงสร้างพื้นฐานสารสนเทศสำคัญ (CII) การประเมินความปลอดภัยด้าน AI ความปลอดภัยหุ่นยนต์ ความปลอดภัยอวกาศ การเขียนโค้ดที่ปลอดภัย และการประเมิน Zero Trust ตามแนวทางของ KISA (สำนักงานอินเทอร์เน็ตและความปลอดภัยแห่งเกาหลี) +ปลั๊กอิน Claude Code สำหรับการวิเคราะห์และประเมินช่องโหว่ของโครงสร้างพื้นฐานสารสนเทศสำคัญ (CII) การประเมินความปลอดภัยด้าน AI ความปลอดภัยหุ่นยนต์ ความปลอดภัยอวกาศ การเขียนโค้ดที่ปลอดภัย การประเมิน Zero Trust และความปลอดภัยห่วงโซ่อุปทาน SW (SBOM) ตามแนวทางของ KISA (สำนักงานอินเทอร์เน็ตและความปลอดภัยแห่งเกาหลี) --- @@ -16,10 +16,10 @@ KESE (KISA Enhanced Security Evaluation Kit) เป็นปลั๊กอิ | สกิล | คำอธิบาย | |------|----------| -| `/kesekit-start` | เริ่มการประเมินช่องโหว่ด้านความปลอดภัยแบบเต็มรูปแบบ (CII 560+ / AI / หุ่นยนต์ / อวกาศ / โค้ดปลอดภัย / Zero Trust) | -| `/kesekit-check` | รายการตรวจสอบความสอดคล้องด้านความปลอดภัยก่อนการปรับใช้งาน (CII / AI / หุ่นยนต์ / อวกาศ / โค้ดปลอดภัย / Zero Trust) | -| `/kesekit-fix` | สร้างสคริปต์เสริมความแข็งแกร่งและแก้ไขด้านความปลอดภัยโดยอัตโนมัติ (CII / AI / หุ่นยนต์ / อวกาศ / โค้ดปลอดภัย / Zero Trust) | -| `/kesekit-guide` | สร้างพรอมต์การเขียนโค้ดที่ปลอดภัยสำหรับเครื่องมือ AI (CII / AI / หุ่นยนต์ / อวกาศ / JS·Python·ทั่วไป / Zero Trust) | +| `/kesekit-start` | เริ่มการประเมินช่องโหว่ด้านความปลอดภัยแบบเต็มรูปแบบ (CII 560+ / AI / หุ่นยนต์ / อวกาศ / โค้ดปลอดภัย / Zero Trust / ห่วงโซ่อุปทาน SW) | +| `/kesekit-check` | รายการตรวจสอบความสอดคล้องด้านความปลอดภัยก่อนการปรับใช้งาน (CII / AI / หุ่นยนต์ / อวกาศ / โค้ดปลอดภัย / Zero Trust / ห่วงโซ่อุปทาน SW) | +| `/kesekit-fix` | สร้างสคริปต์เสริมความแข็งแกร่งและแก้ไขด้านความปลอดภัยโดยอัตโนมัติ (CII / AI / หุ่นยนต์ / อวกาศ / โค้ดปลอดภัย / Zero Trust / ห่วงโซ่อุปทาน SW) | +| `/kesekit-guide` | สร้างพรอมต์การเขียนโค้ดที่ปลอดภัยสำหรับเครื่องมือ AI (CII / AI / หุ่นยนต์ / อวกาศ / JS·Python·ทั่วไป / Zero Trust / ห่วงโซ่อุปทาน SW) | ## แนวทางที่รองรับ @@ -129,6 +129,16 @@ KESE (KISA Enhanced Security Evaluation Kit) เป็นปลั๊กอิ เป้าหมาย: องค์กรที่นำ Zero Trust มาใช้, สภาพแวดล้อม OT/ICS, องค์กรที่ย้ายไปคลาวด์, ผู้รับผิดชอบการประเมินวุฒิภาวะด้านความปลอดภัย +### 7. ความปลอดภัยห่วงโซ่อุปทาน SW (SBOM) — 29 รายการ + +| ขั้นตอน | รหัส | จำนวนรายการ | มาตรฐาน | +|---------|------|:----------:|---------| +| การออกแบบ | SC-01~05 | 5 | NIST SP 800-161r1 | +| การพัฒนา | SC-06~16 | 11 | NIST SP 800-218 | +| การจัดหา/การแจกจ่าย | SC-17~19 | 3 | NTIA SBOM | +| การปรับใช้งานและการดำเนินงาน | SC-20~26 | 7 | NIS-SBOM | +| การบำรุงรักษา | SC-27~29 | 3 | NIS-SBOM | + ## การติดตั้ง ``` diff --git a/docs/README.tr.md b/docs/README.tr.md index c5db9a6..f485696 100644 --- a/docs/README.tr.md +++ b/docs/README.tr.md @@ -4,7 +4,7 @@ # KESE - KISA Enhanced Security Evaluation Kit -Kritik Bilgi Altyapisi (CII) zafiyet analiz-degerlendirmesi, AI guvenlik degerlendirmesi, robot guvenligi, uzay guvenligi, guvenli kodlama kilavuzu ve Sifir Guven (Zero Trust) guvenlik degerlendirmesi icin Claude Code beceri eklentisidir. +Kritik Bilgi Altyapisi (CII) zafiyet analiz-degerlendirmesi, AI guvenlik degerlendirmesi, robot guvenligi, uzay guvenligi, guvenli kodlama kilavuzu, Sifir Guven (Zero Trust) guvenlik degerlendirmesi ve SW Tedarik Zinciri Guvenligi (SBOM) icin Claude Code beceri eklentisidir. --- @@ -16,10 +16,10 @@ KESE (KISA Enhanced Security Evaluation Kit), KISA (Kore Internet ve Guvenlik Aj | Beceri | Aciklama | |--------|----------| -| `/kesekit-start` | Tam guvenlik zafiyet degerlendirmesi calistir (CII 560+ / AI Guvenlik / Robot Guvenligi / Uzay Guvenligi / Guvenli Kodlama / Sifir Guven) | -| `/kesekit-check` | Dagitim oncesi guvenlik uyumluluk kontrol listesi (CII / AI / Robot / Uzay / Guvenli Kodlama / Sifir Guven) | -| `/kesekit-fix` | Sikilastirma betikleri ve guvenlik duzeltmeleri otomatik olustur (CII / AI / Robot / Uzay / Guvenli Kodlama / Sifir Guven) | -| `/kesekit-guide` | AI araclari icin guvenli kodlama komut istemi olustur (CII / AI / Robot / Uzay / JS·Python·Genel / Sifir Guven) | +| `/kesekit-start` | Tam guvenlik zafiyet degerlendirmesi calistir (CII 560+ / AI Guvenlik / Robot Guvenligi / Uzay Guvenligi / Guvenli Kodlama / Sifir Guven / SW Tedarik Zinciri) | +| `/kesekit-check` | Dagitim oncesi guvenlik uyumluluk kontrol listesi (CII / AI / Robot / Uzay / Guvenli Kodlama / Sifir Guven / SW Tedarik Zinciri) | +| `/kesekit-fix` | Sikilastirma betikleri ve guvenlik duzeltmeleri otomatik olustur (CII / AI / Robot / Uzay / Guvenli Kodlama / Sifir Guven / SW Tedarik Zinciri) | +| `/kesekit-guide` | AI araclari icin guvenli kodlama komut istemi olustur (CII / AI / Robot / Uzay / JS·Python·Genel / Sifir Guven / SW Tedarik Zinciri) | ## Desteklenen Kilavuzlar @@ -129,6 +129,16 @@ Hedef Kitle: JavaScript/Python web gelistiricileri, AI arac (Claude, Cursor, Cop Hedef Kitle: Sifir Guven benimseyen kuruluslar, OT/ICS ortamlari, buluta gecis yapan organizasyonlar, guvenlik olgunluk degerlendirme sorumlulari +### 7. SW Tedarik Zinciri Guvenligi (SBOM) — 29 madde + +| Asama | Kod | Madde | Standart | +|-------|-----|:-----:|----------| +| Tasarim | SC-01~05 | 5 | NIST SP 800-161r1 | +| Gelistirme | SC-06~16 | 11 | NIST SP 800-218 | +| Tedarik/Dagitim | SC-17~19 | 3 | NTIA SBOM | +| Dagitim ve Isletme | SC-20~26 | 7 | NIS-SBOM | +| Bakim | SC-27~29 | 3 | NIS-SBOM | + ## Kurulum ``` diff --git a/docs/README.uk.md b/docs/README.uk.md index d8572ab..0381d0f 100644 --- a/docs/README.uk.md +++ b/docs/README.uk.md @@ -4,7 +4,7 @@ # KESE - KISA Enhanced Security Evaluation Kit -Плагін навичок Claude Code для аналізу вразливостей критичної інформаційної інфраструктури (CII), оцінки безпеки ШІ, безпеки роботів, космічної безпеки, безпечного кодування та оцінки Zero Trust. +Плагін навичок Claude Code для аналізу вразливостей критичної інформаційної інфраструктури (CII), оцінки безпеки ШІ, безпеки роботів, космічної безпеки, безпечного кодування, оцінки Zero Trust та Безпеки ланцюга постачання ПЗ (SBOM). --- @@ -16,10 +16,10 @@ KESE (KISA Enhanced Security Evaluation Kit) — це плагін Claude Code, | Навичка | Опис | |---------|------| -| `/kesekit-start` | Запуск повного аналізу вразливостей безпеки (CII 560+ / ШІ / Роботи / Космос / Безпечне кодування / Zero Trust) | -| `/kesekit-check` | Контрольний список відповідності безпеці перед розгортанням (CII / ШІ / Роботи / Космос / Безпечне кодування / Zero Trust) | -| `/kesekit-fix` | Автоматична генерація скриптів зміцнення та виправлень безпеки (CII / ШІ / Роботи / Космос / Безпечне кодування / Zero Trust) | -| `/kesekit-guide` | Генерація промптів безпечного кодування для інструментів ШІ (CII / ШІ / Роботи / Космос / JS·Python·Загальний / Zero Trust) | +| `/kesekit-start` | Запуск повного аналізу вразливостей безпеки (CII 560+ / ШІ / Роботи / Космос / Безпечне кодування / Zero Trust / Ланцюг постачання ПЗ) | +| `/kesekit-check` | Контрольний список відповідності безпеці перед розгортанням (CII / ШІ / Роботи / Космос / Безпечне кодування / Zero Trust / Ланцюг постачання ПЗ) | +| `/kesekit-fix` | Автоматична генерація скриптів зміцнення та виправлень безпеки (CII / ШІ / Роботи / Космос / Безпечне кодування / Zero Trust / Ланцюг постачання ПЗ) | +| `/kesekit-guide` | Генерація промптів безпечного кодування для інструментів ШІ (CII / ШІ / Роботи / Космос / JS·Python·Загальний / Zero Trust / Ланцюг постачання ПЗ) | ## Підтримувані настанови @@ -129,6 +129,16 @@ KESE (KISA Enhanced Security Evaluation Kit) — це плагін Claude Code, Цільова група: Організації, що впроваджують Zero Trust, Середовища OT/ICS, Організації, що мігрують у хмару, Відповідальні за оцінку зрілості безпеки +### 7. Безпека ланцюга постачання ПЗ (SBOM) — 29 пунктів + +| Фаза | Код | Кількість пунктів | Стандарт | +|------|-----|:------:|----------| +| Проєктування | SC-01~05 | 5 | NIST SP 800-161r1 | +| Розробка | SC-06~16 | 11 | NIST SP 800-218 | +| Постачання/Розповсюдження | SC-17~19 | 3 | NTIA SBOM | +| Розгортання та експлуатація | SC-20~26 | 7 | NIS-SBOM | +| Обслуговування | SC-27~29 | 3 | NIS-SBOM | + ## Встановлення ``` diff --git a/docs/README.vi.md b/docs/README.vi.md index 8f048ec..9f52608 100644 --- a/docs/README.vi.md +++ b/docs/README.vi.md @@ -4,7 +4,7 @@ # KESE - KISA Enhanced Security Evaluation Kit -Plugin ky nang Claude Code danh cho phan tich-danh gia lo hong Ha tang Thong tin Trong yeu (CII), danh gia bao mat AI, bao mat robot, bao mat khong gian, huong dan lap trinh an toan va danh gia bao mat Zero Trust. +Plugin ky nang Claude Code danh cho phan tich-danh gia lo hong Ha tang Thong tin Trong yeu (CII), danh gia bao mat AI, bao mat robot, bao mat khong gian, huong dan lap trinh an toan, danh gia bao mat Zero Trust va Bao mat chuoi cung ung SW (SBOM). --- @@ -16,10 +16,10 @@ KESE (KISA Enhanced Security Evaluation Kit) la mot plugin Claude Code cung cap | Ky nang | Mo ta | |---------|-------| -| `/kesekit-start` | Chay danh gia lo hong bao mat toan dien (CII 560+ / Bao mat AI / Bao mat Robot / Bao mat Khong gian / Lap trinh An toan / Zero Trust) | -| `/kesekit-check` | Danh sach kiem tra tuan thu bao mat truoc trien khai (CII / AI / Robot / Khong gian / Lap trinh An toan / Zero Trust) | -| `/kesekit-fix` | Tu dong tao script tang cuong bao mat va ban va lo hong (CII / AI / Robot / Khong gian / Lap trinh An toan / Zero Trust) | -| `/kesekit-guide` | Tao prompt lap trinh an toan cho cac cong cu AI (CII / AI / Robot / Khong gian / JS·Python·Chung / Zero Trust) | +| `/kesekit-start` | Chay danh gia lo hong bao mat toan dien (CII 560+ / Bao mat AI / Bao mat Robot / Bao mat Khong gian / Lap trinh An toan / Zero Trust / Chuoi cung ung SW) | +| `/kesekit-check` | Danh sach kiem tra tuan thu bao mat truoc trien khai (CII / AI / Robot / Khong gian / Lap trinh An toan / Zero Trust / Chuoi cung ung SW) | +| `/kesekit-fix` | Tu dong tao script tang cuong bao mat va ban va lo hong (CII / AI / Robot / Khong gian / Lap trinh An toan / Zero Trust / Chuoi cung ung SW) | +| `/kesekit-guide` | Tao prompt lap trinh an toan cho cac cong cu AI (CII / AI / Robot / Khong gian / JS·Python·Chung / Zero Trust / Chuoi cung ung SW) | ## Huong dan duoc ho tro @@ -129,6 +129,16 @@ Doi tuong: Nha phat trien web JavaScript/Python, nguoi dung cong cu AI (Claude, Doi tuong: Doanh nghiep ap dung Zero Trust, moi truong OT/ICS, to chuc chuyen doi dam may, nguoi phu trach danh gia muc do truong thanh bao mat +### 7. Bao mat chuoi cung ung SW (SBOM) — 29 hang muc + +| Giai doan | Ma | Hang muc | Tieu chuan | +|-----------|-----|:--------:|------------| +| Thiet ke | SC-01~05 | 5 | NIST SP 800-161r1 | +| Phat trien | SC-06~16 | 11 | NIST SP 800-218 | +| Cung ung/Phan phoi | SC-17~19 | 3 | NTIA SBOM | +| Trien khai va Van hanh | SC-20~26 | 7 | NIS-SBOM | +| Bao tri | SC-27~29 | 3 | NIS-SBOM | + ## Cai dat ``` diff --git a/docs/README.zh.md b/docs/README.zh.md index b50239b..fb8c596 100644 --- a/docs/README.zh.md +++ b/docs/README.zh.md @@ -4,7 +4,7 @@ # KESE - KISA Enhanced Security Evaluation Kit -面向关键信息基础设施(CII)漏洞分析评估、AI安全评估、机器人安全检查、太空安全检查、安全编码指南、零信任安全评估的Claude Code技能插件。 +面向关键信息基础设施(CII)漏洞分析评估、AI安全评估、机器人安全检查、太空安全检查、安全编码指南、零信任安全评估、SW供应链安全(SBOM)的Claude Code技能插件。 --- @@ -16,10 +16,10 @@ KESE(KISA Enhanced Security Evaluation Kit)是一款基于KISA(韩国互 | 技能 | 说明 | |------|------| -| `/kesekit-start` | 运行完整的安全漏洞评估(CII 560+ / AI安全 / 机器人安全 / 太空安全 / 安全编码 / 零信任) | -| `/kesekit-check` | 部署前安全合规检查清单(CII / AI / 机器人 / 太空 / 安全编码 / 零信任) | -| `/kesekit-fix` | 自动生成加固脚本和安全修复方案(CII / AI / 机器人 / 太空 / 安全编码 / 零信任) | -| `/kesekit-guide` | 为AI工具生成安全编码提示词(CII / AI / 机器人 / 太空 / JS·Python·通用 / 零信任) | +| `/kesekit-start` | 运行完整的安全漏洞评估(CII 560+ / AI安全 / 机器人安全 / 太空安全 / 安全编码 / 零信任 / SW供应链) | +| `/kesekit-check` | 部署前安全合规检查清单(CII / AI / 机器人 / 太空 / 安全编码 / 零信任 / SW供应链) | +| `/kesekit-fix` | 自动生成加固脚本和安全修复方案(CII / AI / 机器人 / 太空 / 安全编码 / 零信任 / SW供应链) | +| `/kesekit-guide` | 为AI工具生成安全编码提示词(CII / AI / 机器人 / 太空 / JS·Python·通用 / 零信任 / SW供应链) | ## 支持的指南 @@ -129,6 +129,16 @@ KESE(KISA Enhanced Security Evaluation Kit)是一款基于KISA(韩国互 适用对象:零信任实施企业、OT/ICS环境、云迁移组织、安全成熟度评估负责人 +### 7. SW供应链安全(SBOM) — 29项 + +| 阶段 | 代码 | 项数 | 参考标准 | +|------|------|:----:|----------| +| 设计 | SC-01~05 | 5 | NIST SP 800-161r1 | +| 开发 | SC-06~16 | 11 | NIST SP 800-218 | +| 供应/分发 | SC-17~19 | 3 | NTIA SBOM | +| 部署与运维 | SC-20~26 | 7 | NIS-SBOM | +| 维护 | SC-27~29 | 3 | NIS-SBOM | + ## 安装 ``` diff --git a/skills/kesekit-check/SKILL.md b/skills/kesekit-check/SKILL.md index 28b6f23..b4f1eee 100644 --- a/skills/kesekit-check/SKILL.md +++ b/skills/kesekit-check/SKILL.md @@ -1,6 +1,6 @@ --- name: kesekit-check -description: Run a pre-deployment security compliance checklist based on KISA guidelines. Supports CII compliance (70 items), AI security checklists, Robot Security (103 items), and Space Security (12 domains, 53 items). Use when "pre-deploy check", "compliance checklist", "security checklist", "AI security check", "robot security check", "space security check", "satellite compliance", "GSaaS check". +description: Run a pre-deployment security compliance checklist based on KISA guidelines. Supports CII compliance (70 items), AI security checklists, Robot Security (103 items), Space Security (12 domains, 53 items), SW Supply Chain (SBOM, 29 items). Use when "pre-deploy check", "compliance checklist", "security checklist", "AI security check", "robot security check", "space security check", "satellite compliance", "GSaaS check", "supply chain check", "SBOM check", "공급망 점검". --- # KESE Pre-Deployment Security Compliance Checklist @@ -17,9 +17,11 @@ Run pre-deployment security checks. Auto-selects guideline based on user context | 4 | **Space Security Checklist** | Satellite/GSaaS/supply chain 12 domains, 53 items | | 5 | **Secure Coding Checklist** | JavaScript/Python code review (7 categories, 46 CWE) | | 6 | **Zero Trust Checklist** | Zero Trust maturity assessment (8 elements, 4 maturity levels, ~396 items) | +| 7 | **SW Supply Chain Checklist** | SBOM-based supply chain security (5 phases, 29 items) | Servers, infrastructure → **CII** / AI models, LLM → **AI Security** / robots, ROS/ROS2 → **Robot Security** / satellites, ground stations, GSaaS, space supply chain → **Space Security** / JavaScript, Python, web app code → **Secure Coding** Zero Trust, ZTA, ZTNA, 제로트러스트, 마이크로세그멘테이션, microsegmentation, SDP, SASE, PEP/PDP, never trust always verify → **Zero Trust** +SBOM, supply chain, 공급망, C-SCRM, SCA, CycloneDX, SPDX, npm audit, pip-audit → **SW Supply Chain** --- @@ -73,6 +75,14 @@ Load from `references/zero-trust/` for overview and maturity model, and `templat --- +## SW Supply Chain Branch + +Load from `references/supply-chain/overview.md` for context, then use `templates/supply-chain/sbom-checklist.md` for the 29-item pre-deployment checklist. Use `scripts/supply-chain/sbom-generate.md` and `scripts/supply-chain/sbom-vuln-scan.md` for verification commands. + +5 phases: Design (5) → Development (11) → Supply (3) → Operations (7) → Maintenance (3). Critical items: SC-10, SC-14, SC-15 must ALL pass. Block deployment if any Critical item fails. Standards: NIST SP 800-161r1, NIST SP 800-218, NTIA SBOM, NIS-SBOM. + +--- + ## Rules - Never skip Critical severity items - Provide specific file paths and commands for fixes diff --git a/skills/kesekit-check/references/supply-chain/overview.md b/skills/kesekit-check/references/supply-chain/overview.md new file mode 100644 index 0000000..fadab04 --- /dev/null +++ b/skills/kesekit-check/references/supply-chain/overview.md @@ -0,0 +1,111 @@ +# SW Supply Chain Security Overview + +> Source: SW 공급망 보안 가이드라인 v1.0 (2024.05, 국가정보원·과기정통부·디플정위·KISA) +> Domain: SW Supply Chain Risk Management, SBOM-based Security +> Standards: NIST SP 800-161r1 (C-SCRM), NIST SP 800-218 (SSDF), NTIA SBOM Minimum Elements + +--- + +## 1. Supply Chain Attack Types (7 Categories) + +| # | Attack Type | Description | Example | +|---|------------|-------------|---------| +| 1 | **Open Source Vulnerability** | Exploiting known CVEs in widely used OSS | Log4Shell (CVE-2021-44228) | +| 2 | **Third-party Dependency** | Compromised 3rd-party libraries/modules | event-stream malicious injection | +| 3 | **Public Repository** | Malicious packages via npm/PyPI/Maven | Typosquatting attacks | +| 4 | **Build System** | CI/CD pipeline compromise | SolarWinds Orion | +| 5 | **Update Hijacking** | Intercepting legitimate update channels | Kaseya VSA ransomware | +| 6 | **Internal Repository** | Enterprise code repository breach | Codecov credential leak | +| 7 | **Supplier/Partner** | Trusted vendor as attack vector | NotPetya via M.E.Doc | + +--- + +## 2. C-SCRM Framework (NIST SP 800-161r1) + +``` +┌────────────────────────────────────────┐ +│ Level 1 - Enterprise │ +│ C-SCRM strategy, policy, governance │ +├────────────────────────────────────────┤ +│ Level 2 - Mission/Business Process │ +│ Process-specific risk management │ +├────────────────────────────────────────┤ +│ Level 3 - Operational │ +│ System-level SCRM in SDLC │ +└────────────────────────────────────────┘ +``` + +### Supply Chain Participants + +| Role | Responsibilities | +|------|-----------------| +| **Developer** | Secure coding, SBOM generation, vulnerability patching | +| **Supplier** | Security verification, integrity validation, customer notification | +| **Operator** | Security requirements, acceptance testing, lifecycle management | + +--- + +## 3. SBOM (Software Bill of Materials) + +### NTIA Minimum Elements (7 Data Fields) + +| Field | Description | +|-------|-------------| +| Supplier Name | Entity that created/identified the component | +| Timestamp | Date/time of SBOM assembly | +| Author Name | Entity creating the SBOM data | +| Component Name | Name assigned to the SW unit | +| Version String | Version identifier | +| Unique Identifier | Lookup key for component identification | +| Relationship | Dependency relationship (X included in Y) | + +### SBOM Standards + +| Standard | Organization | Focus | International | +|----------|-------------|-------|:------------:| +| SPDX | Linux Foundation | License management | ISO/IEC 5962 | +| CycloneDX | OWASP | Supply chain security | - | +| SWID | NIST/US Commerce | SW asset management | ISO/IEC 19770-2 | + +### NIS-SBOM (Korea, 20 Fields) + +Extended from NTIA 7 fields to 20 fields for Korean government/public sector: +- SBOM Standard, SBOM Type, CycloneDX No, SPDX Doc. ID +- SBOM ID, Product Name/Version, Component Name/Alias/Version +- Component Supplier Name, Hash, Path +- SBOM Author Name, Unique Identifier, Dependency Relationship +- Timestamp, License Name Version, Vul. DB, Vul. Info + +--- + +## 4. Vulnerability Management Flow + +``` +SBOM Generate → CVE Lookup (NVD) → CVSS Scoring → Remediation Plan + │ │ │ │ + SCA tools nvd.nist.gov 0.0~10.0 scale Priority action +``` + +### CVSS Severity Levels + +| Score | Severity | Action | +|:-----:|----------|--------| +| 9.0-10.0 | Critical | Immediate remediation | +| 7.0-8.9 | High | Urgent remediation | +| 4.0-6.9 | Medium | Planned remediation | +| 0.1-3.9 | Low | Monitor | + +--- + +## 5. Regulatory Landscape + +| Country | Regulation | SBOM Requirement | Timeline | +|---------|-----------|------------------|----------| +| USA | EO 14028 + OMB M-22-18 | SBOM submission for federal SW | Active | +| EU | Cyber Resilience Act (CRA) | SBOM for all digital products | 2026 H2 | +| Japan | METI SBOM Roadmap | Industry-specific SBOM adoption | Phased | +| Korea | NIS-SBOM | 20-field SBOM for public sector | In progress | + +--- + +Total assessment items: **29 self-check items** (Design: 5, Development: 11, Supply: 3, Operations: 7, Maintenance: 3) diff --git a/skills/kesekit-check/scripts/supply-chain/sbom-generate.md b/skills/kesekit-check/scripts/supply-chain/sbom-generate.md new file mode 100644 index 0000000..285119f --- /dev/null +++ b/skills/kesekit-check/scripts/supply-chain/sbom-generate.md @@ -0,0 +1,153 @@ +# SBOM Generation Scripts + +> Source: SW 공급망 보안 가이드라인 v1.0 (KISA) +> Checklist refs: SC-03, SC-10, SC-13, SC-14, SC-16 + +--- + +## 1. SBOM Generation with Syft (SC-10, SC-14) + +```bash +# Source code directory scan +syft dir:. -o cyclonedx-json > sbom-cyclonedx.json +syft dir:. -o spdx-json > sbom-spdx.json + +# Container image scan +syft : -o cyclonedx-json > sbom-container.json + +# Specific package manager lockfile +syft file:package-lock.json -o cyclonedx-json > sbom.json +``` + +--- + +## 2. Language-Specific SBOM Tools (SC-10) + +### Node.js (npm/yarn) + +```bash +# CycloneDX npm plugin +npm install -g @cyclonedx/cyclonedx-npm +cyclonedx-npm --output-file sbom.json + +# yarn +npm install -g @cyclonedx/cyclonedx-npm +cyclonedx-npm --package-lock-only --output-file sbom.json +``` + +### Python (pip/poetry) + +```bash +# CycloneDX Python +pip install cyclonedx-bom +cyclonedx-py requirements -i requirements.txt -o sbom.json --format json + +# Poetry +cyclonedx-py poetry -o sbom.json --format json +``` + +### Java (Maven/Gradle) + +```bash +# Maven CycloneDX plugin +mvn org.cyclonedx:cyclonedx-maven-plugin:makeBom + +# Gradle +gradle cyclonedxBom +``` + +### .NET (NuGet) + +```bash +dotnet tool install --global CycloneDX +dotnet CycloneDX .csproj -o sbom.json -j +``` + +### Go + +```bash +# CycloneDX Go module +cyclonedx-gomod mod -json -output sbom.json +``` + +--- + +## 3. SBOM Validation (SC-16, V-1~V-5) + +```bash +# Validate CycloneDX format +npm install -g @cyclonedx/cyclonedx-cli +cyclonedx validate --input-file sbom.json --input-format json + +# Check component count +cat sbom.json | python -c " +import json, sys +data = json.load(sys.stdin) +comps = data.get('components', []) +print(f'Components: {len(comps)}') +for c in comps[:10]: + print(f' {c.get(\"name\", \"?\")}@{c.get(\"version\", \"?\")} [{c.get(\"licenses\", [{}])}]') +" +``` + +--- + +## 4. Cross-Validation with Multiple Tools (V-3) + +```bash +# Generate SBOM with two different tools +syft dir:. -o cyclonedx-json > sbom-syft.json +cyclonedx-npm --output-file sbom-cdx.json + +# Compare component counts +echo "Syft components:" +cat sbom-syft.json | python -c "import json,sys; print(len(json.load(sys.stdin).get('components',[])))" +echo "CycloneDX-npm components:" +cat sbom-cdx.json | python -c "import json,sys; print(len(json.load(sys.stdin).get('components',[])))" +``` + +--- + +## 5. CI/CD Integration (SC-11, SC-13) + +### GitHub Actions + +```yaml +name: SBOM & Security +on: [push, pull_request] +jobs: + sbom: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: Generate SBOM + uses: anchore/sbom-action@v0 + with: + format: cyclonedx-json + output-file: sbom.json + - name: Scan Vulnerabilities + uses: anchore/scan-action@v4 + with: + sbom: sbom.json + fail-build: true + severity-cutoff: high + - name: Archive SBOM + uses: actions/upload-artifact@v4 + with: + name: sbom + path: sbom.json +``` + +### GitLab CI/CD + +```yaml +sbom-scan: + stage: test + image: anchore/syft:latest + script: + - syft dir:. -o cyclonedx-json > sbom.json + - grype sbom:sbom.json --fail-on high + artifacts: + paths: + - sbom.json +``` diff --git a/skills/kesekit-check/scripts/supply-chain/sbom-vuln-scan.md b/skills/kesekit-check/scripts/supply-chain/sbom-vuln-scan.md new file mode 100644 index 0000000..c3901dd --- /dev/null +++ b/skills/kesekit-check/scripts/supply-chain/sbom-vuln-scan.md @@ -0,0 +1,151 @@ +# SBOM Vulnerability Scanning & Remediation + +> Source: SW 공급망 보안 가이드라인 v1.0 (KISA) +> Checklist refs: SC-10, SC-14, SC-15, SC-23, SC-24, SC-27 + +--- + +## 1. Vulnerability Scanning with Grype (SC-14) + +```bash +# Scan from SBOM file +grype sbom:sbom.json + +# Scan with severity threshold (fail on high+) +grype sbom:sbom.json --fail-on high + +# Output as JSON for processing +grype sbom:sbom.json -o json > vuln-report.json + +# Scan source directory directly +grype dir:. --fail-on critical +``` + +--- + +## 2. Package Manager Built-in Audit (SC-10) + +### Node.js + +```bash +# npm audit +npm audit +npm audit --json > npm-audit.json + +# Fix automatically +npm audit fix +npm audit fix --force # including breaking changes +``` + +### Python + +```bash +# pip-audit +pip install pip-audit +pip-audit +pip-audit -f json -o pip-audit.json + +# safety +pip install safety +safety check +``` + +### Java + +```bash +# OWASP Dependency-Check +mvn org.owasp:dependency-check-maven:check +``` + +### .NET + +```bash +dotnet list package --vulnerable +dotnet list package --vulnerable --include-transitive +``` + +### Go + +```bash +# govulncheck +go install golang.org/x/vuln/cmd/govulncheck@latest +govulncheck ./... +``` + +--- + +## 3. NVD/CVE Lookup (SC-15, SC-23) + +```bash +# Search NVD for specific CVE +curl -s "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2021-44228" | python -m json.tool + +# Search by keyword +curl -s "https://services.nvd.nist.gov/rest/json/cves/2.0?keywordSearch=log4j" | python -m json.tool | head -50 + +# Check CISA KEV (Known Exploited Vulnerabilities) +curl -s "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json" | python -c " +import json, sys +data = json.load(sys.stdin) +for v in data['vulnerabilities'][:5]: + print(f\"{v['cveID']} | {v['vendorProject']} | {v['product']} | Due: {v['dueDate']}\") +" +``` + +--- + +## 4. CVSS Severity Assessment (SC-15) + +| CVSS Score | Severity | Required Action | SLA | +|:----------:|----------|----------------|:---:| +| 9.0-10.0 | Critical | Immediate patch/mitigation | 24h | +| 7.0-8.9 | High | Urgent remediation | 7d | +| 4.0-6.9 | Medium | Planned remediation | 30d | +| 0.1-3.9 | Low | Monitor, next release | 90d | + +--- + +## 5. Vulnerability Response Record (SC-24, SC-28) + +| Field | Description | +|-------|-------------| +| CVE ID | Vulnerability identifier (e.g., CVE-2021-44228) | +| Component | Affected component name and version | +| CVSS Score | Severity score (0.0-10.0) | +| KEV Status | Whether listed in CISA KEV | +| Business Impact | Affected services/data/operations | +| EoS Status | End-of-Support status of component | +| Priority | P0 (Critical) / P1 (High) / P2 (Medium) / P3 (Low) | +| Remediation | Patch / Upgrade / Virtual patch / Isolate / Accept risk | +| SLA | Target remediation date | +| Owner | Responsible team and person | +| Verification | Re-scan result, regression test link | +| Status | Planned / In Progress / Completed / Exception (approved) | + +--- + +## 6. License Scanning (SC-19) + +```bash +# License check with Syft + Grype +syft dir:. -o cyclonedx-json | python -c " +import json, sys +data = json.load(sys.stdin) +for c in data.get('components', []): + licenses = c.get('licenses', []) + lic_names = [l.get('license', {}).get('id', 'Unknown') for l in licenses] + print(f\"{c['name']}@{c.get('version','?')} : {', '.join(lic_names) or 'No license'}\") +" + +# Check for copyleft licenses (GPL risk) +syft dir:. -o cyclonedx-json | python -c " +import json, sys +data = json.load(sys.stdin) +copyleft = ['GPL', 'LGPL', 'AGPL', 'MPL'] +for c in data.get('components', []): + for l in c.get('licenses', []): + lid = l.get('license', {}).get('id', '') + if any(cl in lid.upper() for cl in copyleft): + print(f'WARNING: {c[\"name\"]}@{c.get(\"version\",\"?\")} uses {lid}') +" +``` diff --git a/skills/kesekit-check/templates/supply-chain/overview.md b/skills/kesekit-check/templates/supply-chain/overview.md new file mode 100644 index 0000000..db49683 --- /dev/null +++ b/skills/kesekit-check/templates/supply-chain/overview.md @@ -0,0 +1,47 @@ +# SW Supply Chain Security Assessment Overview + +> Domain: SW Supply Chain Security (6 categories, 29 items) +> Source: SW 공급망 보안 가이드라인 v1.0 (국정원·과기정통부·KISA, 2024.05) +> Standards: NIST SP 800-161r1, NIST SP 800-218, NTIA SBOM + +--- + +## Assessment Categories + +| # | Category | Items | Scope | +|---|----------|:-----:|-------| +| 1 | Design Phase | 5 | Roles, training, SBOM planning, environment, security specs | +| 2 | Development Phase | 11 | Secure coding, libraries, build security, SBOM management | +| 3 | Supply/Distribution Phase | 3 | Integrity, archival, SBOM delivery | +| 4 | Deployment & Operations Phase | 7 | Requirements, verification, monitoring, SBOM review | +| 5 | Maintenance Phase | 3 | Updates, history, SBOM refresh | +| **Total** | | **29** | | + +## Judgment Criteria + +| Result | Condition | +|--------|-----------| +| **Pass** | Item requirement fully met with evidence | +| **Partial** | Partially implemented or missing documentation | +| **Fail** | Not implemented or no evidence | +| **N/A** | Not applicable to this environment | + +## Severity Classification + +| Severity | Description | Items | +|----------|-------------|:-----:| +| **Critical** | SBOM not generated, no vulnerability scanning | SC-10, SC-14, SC-15 | +| **High** | No integrity verification, no access control | SC-07, SC-08, SC-09, SC-17, SC-22 | +| **Medium** | Missing training, incomplete documentation | SC-02, SC-05, SC-13, SC-16 | +| **Low** | Process improvement opportunities | SC-01, SC-03, SC-04 | + +## Assessment Scope Detection + +| Context | Indicators | +|---------|-----------| +| SBOM Required | npm/pip/maven project, government/public sector delivery | +| Supply Chain Risk | External libraries, OSS components, 3rd-party dependencies | +| Regulatory | US federal SW, EU digital product, Korean public sector | +| Vibe Coding | AI-generated code with auto-imported dependencies | + +Load `templates/supply-chain/sbom-checklist.md` for the full 29-item assessment. diff --git a/skills/kesekit-check/templates/supply-chain/sbom-checklist.md b/skills/kesekit-check/templates/supply-chain/sbom-checklist.md new file mode 100644 index 0000000..95458cd --- /dev/null +++ b/skills/kesekit-check/templates/supply-chain/sbom-checklist.md @@ -0,0 +1,93 @@ +# SW Supply Chain Security Self-Assessment Checklist + +> Source: SW 공급망 보안 가이드라인 v1.0 (국정원·과기정통부·KISA, 2024.05) +> Standards: NIST SP 800-161r1, NIST SP 800-218 +> Total: 29 items (Design 5 + Development 11 + Supply 3 + Operations 7 + Maintenance 3) + +--- + +## 1. Design Phase (5 items) + +| ID | Item | Detail | Severity | +|----|------|--------|----------| +| SC-01 | Roles & responsibilities for secure development defined | Organization notice with security roles and responsibilities | Low | +| SC-02 | Security training provided to developers | Supply chain security, secure coding training records | Medium | +| SC-03 | Supply chain security considered in design | Configuration management, SBOM generation & management plan | Low | +| SC-04 | Development environment security managed | OS/antivirus update status on dev endpoints | Low | +| SC-05 | Key security items identified and documented | Data protection level, encryption, authentication, access control specs | Medium | + +--- + +## 2. Development Phase (11 items) + +| ID | Item | Detail | Severity | +|----|------|--------|----------| +| SC-06 | Secure coding practices followed | Secure coding verification during source/build | Medium | +| SC-07 | Default security settings reviewed before deployment | SSL, access permissions, repository encryption enabled | High | +| SC-08 | External library security verified on import | Malware/integrity check for external libraries | High | +| SC-09 | Internal repository access restricted to authorized users | Source code management system access control | High | +| SC-10 | OSS and internal code continuously scanned for vulnerabilities | Vulnerability scan logs available | **Critical** | +| SC-11 | Automated security tests in build process | CI/CD pipeline includes security testing | Medium | +| SC-12 | Compiler/interpreter security options enabled | Build options with security features activated | Medium | +| SC-13 | Build artifacts preserved | Executables, compile logs, SBOM, test results archived | Medium | +| SC-14 | SBOM component vulnerabilities checked | Vulnerability identification from SBOM results | **Critical** | +| SC-15 | Severe vulnerabilities have validation process | CVSS 7.0+ components verified for exploitability | **Critical** | +| SC-16 | SBOM creation history maintained | SBOM generation records retained | Medium | + +--- + +## 3. Supply/Distribution Phase (3 items) + +| ID | Item | Detail | Severity | +|----|------|--------|----------| +| SC-17 | SW integrity verification data provided | Code signing, hash values delivered | High | +| SC-18 | Source code, libraries, OSS info securely archived | Secure storage of source materials | Medium | +| SC-19 | SBOM, vulnerability, license info shared with customer | SBOM utilization for transparency | Medium | + +--- + +## 4. Deployment & Operations Phase (7 items) + +| ID | Item | Detail | Severity | +|----|------|--------|----------| +| SC-20 | Supply chain security requirements manual exists | SBOM provision, vulnerability remediation, update requirements | Medium | +| SC-21 | Security requirements verified at contract | Compliance confirmation | Medium | +| SC-22 | SW integrity verified via code signing/hash | Code signature and hash validation | High | +| SC-23 | CVE monitoring for deployed SW | Known vulnerability alerts monitored | High | +| SC-24 | Severe vulnerability response process exists | Remediation request procedure to supplier | High | +| SC-25 | SBOM received for externally developed SW | SBOM review for outsourced SW | Medium | +| SC-26 | External code scanned for vulnerabilities | Security vulnerability check for outsourced code | High | + +--- + +## 5. Maintenance Phase (3 items) + +| ID | Item | Detail | Severity | +|----|------|--------|----------| +| SC-27 | Security updates regularly checked | Patch application status | High | +| SC-28 | Vulnerability remediation history maintained | Remediation action documentation | Medium | +| SC-29 | SBOM regularly updated | SBOM refreshed on SW changes | Medium | + +--- + +## Scoring + +| Pass Rate | Result | +|:---------:|--------| +| >= 80% | **PASS** - Supply chain security posture adequate | +| 60-79% | **CONDITIONAL** - Remediation plan required | +| < 60% | **FAIL** - Deployment blocked, critical gaps | + +Critical items (SC-10, SC-14, SC-15) must ALL pass regardless of overall score. + +--- + +## SBOM Validity Verification Checklist + +| # | Check | Description | +|---|-------|-------------| +| V-1 | Developer confirmation | Compare SBOM data with actual product info (language, framework, OSS) | +| V-2 | Completeness check | Verify no missing fields per CycloneDX/SPDX standard | +| V-3 | Cross-validation | Compare results from 2+ SBOM tools | +| V-4 | Source vs Binary | Compare source-based and binary-based SBOM results | +| V-5 | Hidden components | Check for undiscovered OSS components post-installation | diff --git a/skills/kesekit-fix/SKILL.md b/skills/kesekit-fix/SKILL.md index 5c6fa24..763d388 100644 --- a/skills/kesekit-fix/SKILL.md +++ b/skills/kesekit-fix/SKILL.md @@ -1,6 +1,6 @@ --- name: kesekit-fix -description: Auto-fix security vulnerabilities found in CII, AI, robot, and space systems. Generates hardening scripts for Unix/Linux, Windows, web servers, databases, AI, robot, and space infrastructure (satellite/GSaaS/ground station). Use when "fix vulnerabilities", "apply hardening", "server hardening", "AI security fix", "robot security fix", "space security fix", "satellite hardening", "GSaaS hardening". +description: Auto-fix security vulnerabilities found in CII, AI, robot, space, and supply chain systems. Generates hardening scripts and SBOM-based vulnerability remediation. Use when "fix vulnerabilities", "apply hardening", "server hardening", "AI security fix", "robot security fix", "space security fix", "satellite hardening", "GSaaS hardening", "supply chain fix", "SBOM fix", "공급망 수정", "취약점 조치". --- # KESE Vulnerability Auto-Fix @@ -17,8 +17,10 @@ Generate and apply fixes based on vulnerability assessment results. Auto-selects | 4 | **Space Security Fixes** | Space system hardening (CMMC, K-RMF, NIS2, NIST IR 8401) | | 5 | **Secure Coding Fixes** | Auto-fix vulnerable code patterns (JS/Python, 46 CWE) | | 6 | **Zero Trust Fixes** | Zero Trust gap remediation (8 elements, 4 maturity levels, ~396 items) | +| 7 | **SW Supply Chain Fixes** | SBOM generation, vulnerability scanning, remediation (29 items) | Zero Trust, ZTA, ZTNA, 제로트러스트, 마이크로세그멘테이션, microsegmentation, SDP, SASE, PEP/PDP, never trust always verify → **Zero Trust** +SBOM, supply chain, 공급망, C-SCRM, SCA, CycloneDX, SPDX, npm audit, pip-audit → **SW Supply Chain** ## CII Branch @@ -62,6 +64,14 @@ Load from `references/zero-trust/` for maturity model and architecture, and `tem --- +## SW Supply Chain Branch + +Load from `references/supply-chain/overview.md` for C-SCRM/SBOM context. Use `scripts/supply-chain/sbom-generate.md` for SBOM generation commands (Syft, CycloneDX, language-specific tools). Use `scripts/supply-chain/sbom-vuln-scan.md` for vulnerability scanning (Grype, npm audit, pip-audit, govulncheck) and license compliance checks. Reference `templates/supply-chain/sbom-checklist.md` for the 29-item remediation checklist. + +Fix workflow: Generate SBOM → Scan vulnerabilities → Prioritize by CVSS → Apply patches → Verify → Update SBOM. + +--- + ## Notes - Always backup before applying fixes - Test in non-production first diff --git a/skills/kesekit-fix/references/supply-chain/overview.md b/skills/kesekit-fix/references/supply-chain/overview.md new file mode 100644 index 0000000..fadab04 --- /dev/null +++ b/skills/kesekit-fix/references/supply-chain/overview.md @@ -0,0 +1,111 @@ +# SW Supply Chain Security Overview + +> Source: SW 공급망 보안 가이드라인 v1.0 (2024.05, 국가정보원·과기정통부·디플정위·KISA) +> Domain: SW Supply Chain Risk Management, SBOM-based Security +> Standards: NIST SP 800-161r1 (C-SCRM), NIST SP 800-218 (SSDF), NTIA SBOM Minimum Elements + +--- + +## 1. Supply Chain Attack Types (7 Categories) + +| # | Attack Type | Description | Example | +|---|------------|-------------|---------| +| 1 | **Open Source Vulnerability** | Exploiting known CVEs in widely used OSS | Log4Shell (CVE-2021-44228) | +| 2 | **Third-party Dependency** | Compromised 3rd-party libraries/modules | event-stream malicious injection | +| 3 | **Public Repository** | Malicious packages via npm/PyPI/Maven | Typosquatting attacks | +| 4 | **Build System** | CI/CD pipeline compromise | SolarWinds Orion | +| 5 | **Update Hijacking** | Intercepting legitimate update channels | Kaseya VSA ransomware | +| 6 | **Internal Repository** | Enterprise code repository breach | Codecov credential leak | +| 7 | **Supplier/Partner** | Trusted vendor as attack vector | NotPetya via M.E.Doc | + +--- + +## 2. C-SCRM Framework (NIST SP 800-161r1) + +``` +┌────────────────────────────────────────┐ +│ Level 1 - Enterprise │ +│ C-SCRM strategy, policy, governance │ +├────────────────────────────────────────┤ +│ Level 2 - Mission/Business Process │ +│ Process-specific risk management │ +├────────────────────────────────────────┤ +│ Level 3 - Operational │ +│ System-level SCRM in SDLC │ +└────────────────────────────────────────┘ +``` + +### Supply Chain Participants + +| Role | Responsibilities | +|------|-----------------| +| **Developer** | Secure coding, SBOM generation, vulnerability patching | +| **Supplier** | Security verification, integrity validation, customer notification | +| **Operator** | Security requirements, acceptance testing, lifecycle management | + +--- + +## 3. SBOM (Software Bill of Materials) + +### NTIA Minimum Elements (7 Data Fields) + +| Field | Description | +|-------|-------------| +| Supplier Name | Entity that created/identified the component | +| Timestamp | Date/time of SBOM assembly | +| Author Name | Entity creating the SBOM data | +| Component Name | Name assigned to the SW unit | +| Version String | Version identifier | +| Unique Identifier | Lookup key for component identification | +| Relationship | Dependency relationship (X included in Y) | + +### SBOM Standards + +| Standard | Organization | Focus | International | +|----------|-------------|-------|:------------:| +| SPDX | Linux Foundation | License management | ISO/IEC 5962 | +| CycloneDX | OWASP | Supply chain security | - | +| SWID | NIST/US Commerce | SW asset management | ISO/IEC 19770-2 | + +### NIS-SBOM (Korea, 20 Fields) + +Extended from NTIA 7 fields to 20 fields for Korean government/public sector: +- SBOM Standard, SBOM Type, CycloneDX No, SPDX Doc. ID +- SBOM ID, Product Name/Version, Component Name/Alias/Version +- Component Supplier Name, Hash, Path +- SBOM Author Name, Unique Identifier, Dependency Relationship +- Timestamp, License Name Version, Vul. DB, Vul. Info + +--- + +## 4. Vulnerability Management Flow + +``` +SBOM Generate → CVE Lookup (NVD) → CVSS Scoring → Remediation Plan + │ │ │ │ + SCA tools nvd.nist.gov 0.0~10.0 scale Priority action +``` + +### CVSS Severity Levels + +| Score | Severity | Action | +|:-----:|----------|--------| +| 9.0-10.0 | Critical | Immediate remediation | +| 7.0-8.9 | High | Urgent remediation | +| 4.0-6.9 | Medium | Planned remediation | +| 0.1-3.9 | Low | Monitor | + +--- + +## 5. Regulatory Landscape + +| Country | Regulation | SBOM Requirement | Timeline | +|---------|-----------|------------------|----------| +| USA | EO 14028 + OMB M-22-18 | SBOM submission for federal SW | Active | +| EU | Cyber Resilience Act (CRA) | SBOM for all digital products | 2026 H2 | +| Japan | METI SBOM Roadmap | Industry-specific SBOM adoption | Phased | +| Korea | NIS-SBOM | 20-field SBOM for public sector | In progress | + +--- + +Total assessment items: **29 self-check items** (Design: 5, Development: 11, Supply: 3, Operations: 7, Maintenance: 3) diff --git a/skills/kesekit-fix/scripts/supply-chain/sbom-generate.md b/skills/kesekit-fix/scripts/supply-chain/sbom-generate.md new file mode 100644 index 0000000..285119f --- /dev/null +++ b/skills/kesekit-fix/scripts/supply-chain/sbom-generate.md @@ -0,0 +1,153 @@ +# SBOM Generation Scripts + +> Source: SW 공급망 보안 가이드라인 v1.0 (KISA) +> Checklist refs: SC-03, SC-10, SC-13, SC-14, SC-16 + +--- + +## 1. SBOM Generation with Syft (SC-10, SC-14) + +```bash +# Source code directory scan +syft dir:. -o cyclonedx-json > sbom-cyclonedx.json +syft dir:. -o spdx-json > sbom-spdx.json + +# Container image scan +syft : -o cyclonedx-json > sbom-container.json + +# Specific package manager lockfile +syft file:package-lock.json -o cyclonedx-json > sbom.json +``` + +--- + +## 2. Language-Specific SBOM Tools (SC-10) + +### Node.js (npm/yarn) + +```bash +# CycloneDX npm plugin +npm install -g @cyclonedx/cyclonedx-npm +cyclonedx-npm --output-file sbom.json + +# yarn +npm install -g @cyclonedx/cyclonedx-npm +cyclonedx-npm --package-lock-only --output-file sbom.json +``` + +### Python (pip/poetry) + +```bash +# CycloneDX Python +pip install cyclonedx-bom +cyclonedx-py requirements -i requirements.txt -o sbom.json --format json + +# Poetry +cyclonedx-py poetry -o sbom.json --format json +``` + +### Java (Maven/Gradle) + +```bash +# Maven CycloneDX plugin +mvn org.cyclonedx:cyclonedx-maven-plugin:makeBom + +# Gradle +gradle cyclonedxBom +``` + +### .NET (NuGet) + +```bash +dotnet tool install --global CycloneDX +dotnet CycloneDX .csproj -o sbom.json -j +``` + +### Go + +```bash +# CycloneDX Go module +cyclonedx-gomod mod -json -output sbom.json +``` + +--- + +## 3. SBOM Validation (SC-16, V-1~V-5) + +```bash +# Validate CycloneDX format +npm install -g @cyclonedx/cyclonedx-cli +cyclonedx validate --input-file sbom.json --input-format json + +# Check component count +cat sbom.json | python -c " +import json, sys +data = json.load(sys.stdin) +comps = data.get('components', []) +print(f'Components: {len(comps)}') +for c in comps[:10]: + print(f' {c.get(\"name\", \"?\")}@{c.get(\"version\", \"?\")} [{c.get(\"licenses\", [{}])}]') +" +``` + +--- + +## 4. Cross-Validation with Multiple Tools (V-3) + +```bash +# Generate SBOM with two different tools +syft dir:. -o cyclonedx-json > sbom-syft.json +cyclonedx-npm --output-file sbom-cdx.json + +# Compare component counts +echo "Syft components:" +cat sbom-syft.json | python -c "import json,sys; print(len(json.load(sys.stdin).get('components',[])))" +echo "CycloneDX-npm components:" +cat sbom-cdx.json | python -c "import json,sys; print(len(json.load(sys.stdin).get('components',[])))" +``` + +--- + +## 5. CI/CD Integration (SC-11, SC-13) + +### GitHub Actions + +```yaml +name: SBOM & Security +on: [push, pull_request] +jobs: + sbom: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: Generate SBOM + uses: anchore/sbom-action@v0 + with: + format: cyclonedx-json + output-file: sbom.json + - name: Scan Vulnerabilities + uses: anchore/scan-action@v4 + with: + sbom: sbom.json + fail-build: true + severity-cutoff: high + - name: Archive SBOM + uses: actions/upload-artifact@v4 + with: + name: sbom + path: sbom.json +``` + +### GitLab CI/CD + +```yaml +sbom-scan: + stage: test + image: anchore/syft:latest + script: + - syft dir:. -o cyclonedx-json > sbom.json + - grype sbom:sbom.json --fail-on high + artifacts: + paths: + - sbom.json +``` diff --git a/skills/kesekit-fix/scripts/supply-chain/sbom-vuln-scan.md b/skills/kesekit-fix/scripts/supply-chain/sbom-vuln-scan.md new file mode 100644 index 0000000..c3901dd --- /dev/null +++ b/skills/kesekit-fix/scripts/supply-chain/sbom-vuln-scan.md @@ -0,0 +1,151 @@ +# SBOM Vulnerability Scanning & Remediation + +> Source: SW 공급망 보안 가이드라인 v1.0 (KISA) +> Checklist refs: SC-10, SC-14, SC-15, SC-23, SC-24, SC-27 + +--- + +## 1. Vulnerability Scanning with Grype (SC-14) + +```bash +# Scan from SBOM file +grype sbom:sbom.json + +# Scan with severity threshold (fail on high+) +grype sbom:sbom.json --fail-on high + +# Output as JSON for processing +grype sbom:sbom.json -o json > vuln-report.json + +# Scan source directory directly +grype dir:. --fail-on critical +``` + +--- + +## 2. Package Manager Built-in Audit (SC-10) + +### Node.js + +```bash +# npm audit +npm audit +npm audit --json > npm-audit.json + +# Fix automatically +npm audit fix +npm audit fix --force # including breaking changes +``` + +### Python + +```bash +# pip-audit +pip install pip-audit +pip-audit +pip-audit -f json -o pip-audit.json + +# safety +pip install safety +safety check +``` + +### Java + +```bash +# OWASP Dependency-Check +mvn org.owasp:dependency-check-maven:check +``` + +### .NET + +```bash +dotnet list package --vulnerable +dotnet list package --vulnerable --include-transitive +``` + +### Go + +```bash +# govulncheck +go install golang.org/x/vuln/cmd/govulncheck@latest +govulncheck ./... +``` + +--- + +## 3. NVD/CVE Lookup (SC-15, SC-23) + +```bash +# Search NVD for specific CVE +curl -s "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2021-44228" | python -m json.tool + +# Search by keyword +curl -s "https://services.nvd.nist.gov/rest/json/cves/2.0?keywordSearch=log4j" | python -m json.tool | head -50 + +# Check CISA KEV (Known Exploited Vulnerabilities) +curl -s "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json" | python -c " +import json, sys +data = json.load(sys.stdin) +for v in data['vulnerabilities'][:5]: + print(f\"{v['cveID']} | {v['vendorProject']} | {v['product']} | Due: {v['dueDate']}\") +" +``` + +--- + +## 4. CVSS Severity Assessment (SC-15) + +| CVSS Score | Severity | Required Action | SLA | +|:----------:|----------|----------------|:---:| +| 9.0-10.0 | Critical | Immediate patch/mitigation | 24h | +| 7.0-8.9 | High | Urgent remediation | 7d | +| 4.0-6.9 | Medium | Planned remediation | 30d | +| 0.1-3.9 | Low | Monitor, next release | 90d | + +--- + +## 5. Vulnerability Response Record (SC-24, SC-28) + +| Field | Description | +|-------|-------------| +| CVE ID | Vulnerability identifier (e.g., CVE-2021-44228) | +| Component | Affected component name and version | +| CVSS Score | Severity score (0.0-10.0) | +| KEV Status | Whether listed in CISA KEV | +| Business Impact | Affected services/data/operations | +| EoS Status | End-of-Support status of component | +| Priority | P0 (Critical) / P1 (High) / P2 (Medium) / P3 (Low) | +| Remediation | Patch / Upgrade / Virtual patch / Isolate / Accept risk | +| SLA | Target remediation date | +| Owner | Responsible team and person | +| Verification | Re-scan result, regression test link | +| Status | Planned / In Progress / Completed / Exception (approved) | + +--- + +## 6. License Scanning (SC-19) + +```bash +# License check with Syft + Grype +syft dir:. -o cyclonedx-json | python -c " +import json, sys +data = json.load(sys.stdin) +for c in data.get('components', []): + licenses = c.get('licenses', []) + lic_names = [l.get('license', {}).get('id', 'Unknown') for l in licenses] + print(f\"{c['name']}@{c.get('version','?')} : {', '.join(lic_names) or 'No license'}\") +" + +# Check for copyleft licenses (GPL risk) +syft dir:. -o cyclonedx-json | python -c " +import json, sys +data = json.load(sys.stdin) +copyleft = ['GPL', 'LGPL', 'AGPL', 'MPL'] +for c in data.get('components', []): + for l in c.get('licenses', []): + lid = l.get('license', {}).get('id', '') + if any(cl in lid.upper() for cl in copyleft): + print(f'WARNING: {c[\"name\"]}@{c.get(\"version\",\"?\")} uses {lid}') +" +``` diff --git a/skills/kesekit-fix/templates/supply-chain/overview.md b/skills/kesekit-fix/templates/supply-chain/overview.md new file mode 100644 index 0000000..db49683 --- /dev/null +++ b/skills/kesekit-fix/templates/supply-chain/overview.md @@ -0,0 +1,47 @@ +# SW Supply Chain Security Assessment Overview + +> Domain: SW Supply Chain Security (6 categories, 29 items) +> Source: SW 공급망 보안 가이드라인 v1.0 (국정원·과기정통부·KISA, 2024.05) +> Standards: NIST SP 800-161r1, NIST SP 800-218, NTIA SBOM + +--- + +## Assessment Categories + +| # | Category | Items | Scope | +|---|----------|:-----:|-------| +| 1 | Design Phase | 5 | Roles, training, SBOM planning, environment, security specs | +| 2 | Development Phase | 11 | Secure coding, libraries, build security, SBOM management | +| 3 | Supply/Distribution Phase | 3 | Integrity, archival, SBOM delivery | +| 4 | Deployment & Operations Phase | 7 | Requirements, verification, monitoring, SBOM review | +| 5 | Maintenance Phase | 3 | Updates, history, SBOM refresh | +| **Total** | | **29** | | + +## Judgment Criteria + +| Result | Condition | +|--------|-----------| +| **Pass** | Item requirement fully met with evidence | +| **Partial** | Partially implemented or missing documentation | +| **Fail** | Not implemented or no evidence | +| **N/A** | Not applicable to this environment | + +## Severity Classification + +| Severity | Description | Items | +|----------|-------------|:-----:| +| **Critical** | SBOM not generated, no vulnerability scanning | SC-10, SC-14, SC-15 | +| **High** | No integrity verification, no access control | SC-07, SC-08, SC-09, SC-17, SC-22 | +| **Medium** | Missing training, incomplete documentation | SC-02, SC-05, SC-13, SC-16 | +| **Low** | Process improvement opportunities | SC-01, SC-03, SC-04 | + +## Assessment Scope Detection + +| Context | Indicators | +|---------|-----------| +| SBOM Required | npm/pip/maven project, government/public sector delivery | +| Supply Chain Risk | External libraries, OSS components, 3rd-party dependencies | +| Regulatory | US federal SW, EU digital product, Korean public sector | +| Vibe Coding | AI-generated code with auto-imported dependencies | + +Load `templates/supply-chain/sbom-checklist.md` for the full 29-item assessment. diff --git a/skills/kesekit-fix/templates/supply-chain/sbom-checklist.md b/skills/kesekit-fix/templates/supply-chain/sbom-checklist.md new file mode 100644 index 0000000..95458cd --- /dev/null +++ b/skills/kesekit-fix/templates/supply-chain/sbom-checklist.md @@ -0,0 +1,93 @@ +# SW Supply Chain Security Self-Assessment Checklist + +> Source: SW 공급망 보안 가이드라인 v1.0 (국정원·과기정통부·KISA, 2024.05) +> Standards: NIST SP 800-161r1, NIST SP 800-218 +> Total: 29 items (Design 5 + Development 11 + Supply 3 + Operations 7 + Maintenance 3) + +--- + +## 1. Design Phase (5 items) + +| ID | Item | Detail | Severity | +|----|------|--------|----------| +| SC-01 | Roles & responsibilities for secure development defined | Organization notice with security roles and responsibilities | Low | +| SC-02 | Security training provided to developers | Supply chain security, secure coding training records | Medium | +| SC-03 | Supply chain security considered in design | Configuration management, SBOM generation & management plan | Low | +| SC-04 | Development environment security managed | OS/antivirus update status on dev endpoints | Low | +| SC-05 | Key security items identified and documented | Data protection level, encryption, authentication, access control specs | Medium | + +--- + +## 2. Development Phase (11 items) + +| ID | Item | Detail | Severity | +|----|------|--------|----------| +| SC-06 | Secure coding practices followed | Secure coding verification during source/build | Medium | +| SC-07 | Default security settings reviewed before deployment | SSL, access permissions, repository encryption enabled | High | +| SC-08 | External library security verified on import | Malware/integrity check for external libraries | High | +| SC-09 | Internal repository access restricted to authorized users | Source code management system access control | High | +| SC-10 | OSS and internal code continuously scanned for vulnerabilities | Vulnerability scan logs available | **Critical** | +| SC-11 | Automated security tests in build process | CI/CD pipeline includes security testing | Medium | +| SC-12 | Compiler/interpreter security options enabled | Build options with security features activated | Medium | +| SC-13 | Build artifacts preserved | Executables, compile logs, SBOM, test results archived | Medium | +| SC-14 | SBOM component vulnerabilities checked | Vulnerability identification from SBOM results | **Critical** | +| SC-15 | Severe vulnerabilities have validation process | CVSS 7.0+ components verified for exploitability | **Critical** | +| SC-16 | SBOM creation history maintained | SBOM generation records retained | Medium | + +--- + +## 3. Supply/Distribution Phase (3 items) + +| ID | Item | Detail | Severity | +|----|------|--------|----------| +| SC-17 | SW integrity verification data provided | Code signing, hash values delivered | High | +| SC-18 | Source code, libraries, OSS info securely archived | Secure storage of source materials | Medium | +| SC-19 | SBOM, vulnerability, license info shared with customer | SBOM utilization for transparency | Medium | + +--- + +## 4. Deployment & Operations Phase (7 items) + +| ID | Item | Detail | Severity | +|----|------|--------|----------| +| SC-20 | Supply chain security requirements manual exists | SBOM provision, vulnerability remediation, update requirements | Medium | +| SC-21 | Security requirements verified at contract | Compliance confirmation | Medium | +| SC-22 | SW integrity verified via code signing/hash | Code signature and hash validation | High | +| SC-23 | CVE monitoring for deployed SW | Known vulnerability alerts monitored | High | +| SC-24 | Severe vulnerability response process exists | Remediation request procedure to supplier | High | +| SC-25 | SBOM received for externally developed SW | SBOM review for outsourced SW | Medium | +| SC-26 | External code scanned for vulnerabilities | Security vulnerability check for outsourced code | High | + +--- + +## 5. Maintenance Phase (3 items) + +| ID | Item | Detail | Severity | +|----|------|--------|----------| +| SC-27 | Security updates regularly checked | Patch application status | High | +| SC-28 | Vulnerability remediation history maintained | Remediation action documentation | Medium | +| SC-29 | SBOM regularly updated | SBOM refreshed on SW changes | Medium | + +--- + +## Scoring + +| Pass Rate | Result | +|:---------:|--------| +| >= 80% | **PASS** - Supply chain security posture adequate | +| 60-79% | **CONDITIONAL** - Remediation plan required | +| < 60% | **FAIL** - Deployment blocked, critical gaps | + +Critical items (SC-10, SC-14, SC-15) must ALL pass regardless of overall score. + +--- + +## SBOM Validity Verification Checklist + +| # | Check | Description | +|---|-------|-------------| +| V-1 | Developer confirmation | Compare SBOM data with actual product info (language, framework, OSS) | +| V-2 | Completeness check | Verify no missing fields per CycloneDX/SPDX standard | +| V-3 | Cross-validation | Compare results from 2+ SBOM tools | +| V-4 | Source vs Binary | Compare source-based and binary-based SBOM results | +| V-5 | Hidden components | Check for undiscovered OSS components post-installation | diff --git a/skills/kesekit-guide/SKILL.md b/skills/kesekit-guide/SKILL.md index 0958db0..509dbab 100644 --- a/skills/kesekit-guide/SKILL.md +++ b/skills/kesekit-guide/SKILL.md @@ -1,6 +1,6 @@ --- name: kesekit-guide -description: Generate secure coding prompts and guides for AI tools (Claude, ChatGPT, Cursor, Copilot). Creates copy-paste ready prompts for KISA CII, AI security, robot security, and space security (CCSDS, satellite protocols, GSaaS, supply chain). Use when "security guide", "secure coding guide", "AI secure coding", "robot secure coding", "space secure coding", "satellite security guide". +description: Generate secure coding prompts and guides for AI tools (Claude, ChatGPT, Cursor, Copilot). Creates copy-paste ready prompts for KISA CII, AI security, robot security, space security, and SW supply chain security (SBOM, C-SCRM). Use when "security guide", "secure coding guide", "AI secure coding", "robot secure coding", "space secure coding", "satellite security guide", "supply chain guide", "SBOM guide", "공급망 가이드". --- # KESE Secure Coding Prompt Generator @@ -17,8 +17,10 @@ Generate secure coding prompts based on KISA guidelines and international standa | 4 | **Space Security Coding** | Space-specific (CCSDS, satellite protocols, GSaaS, supply chain) | | 5 | **Secure Coding (Language)** | Language-specific secure coding (JS, Python, pseudo code) | | 6 | **Zero Trust Guide** | Zero Trust architecture and maturity assessment guide (8 elements, ~396 items) | +| 7 | **SW Supply Chain Guide** | SBOM, C-SCRM, supply chain security prompts (29 items) | Zero Trust, ZTA, ZTNA, 제로트러스트, 마이크로세그멘테이션, microsegmentation, SDP, SASE, PEP/PDP, never trust always verify → **Zero Trust** +SBOM, supply chain, 공급망, C-SCRM, SCA, CycloneDX, SPDX, npm audit, pip-audit → **SW Supply Chain** ## CII Branch @@ -66,6 +68,17 @@ Reference `references/zero-trust/overview.md` for ZT architecture and `reference --- +## SW Supply Chain Branch + +Reference `references/supply-chain/overview.md` for C-SCRM framework, SBOM standards, and regulatory landscape. Use `templates/supply-chain/sbom-checklist.md` for the 29-item checklist. Generate prompts for: SBOM generation (Syft, CycloneDX), vulnerability scanning (Grype, npm audit, pip-audit), CI/CD pipeline integration, license compliance, and NIS-SBOM compliance. + +### Auto-detection +- npm, yarn, pip, maven, gradle, cargo → language-specific SBOM prompts +- CI/CD, GitHub Actions, GitLab CI → pipeline integration prompts +- Government/public sector delivery → NIS-SBOM compliance prompts + +--- + ## Usage Copy the generated prompt into your AI assistant conversation, then request code. diff --git a/skills/kesekit-guide/references/supply-chain/overview.md b/skills/kesekit-guide/references/supply-chain/overview.md new file mode 100644 index 0000000..fadab04 --- /dev/null +++ b/skills/kesekit-guide/references/supply-chain/overview.md @@ -0,0 +1,111 @@ +# SW Supply Chain Security Overview + +> Source: SW 공급망 보안 가이드라인 v1.0 (2024.05, 국가정보원·과기정통부·디플정위·KISA) +> Domain: SW Supply Chain Risk Management, SBOM-based Security +> Standards: NIST SP 800-161r1 (C-SCRM), NIST SP 800-218 (SSDF), NTIA SBOM Minimum Elements + +--- + +## 1. Supply Chain Attack Types (7 Categories) + +| # | Attack Type | Description | Example | +|---|------------|-------------|---------| +| 1 | **Open Source Vulnerability** | Exploiting known CVEs in widely used OSS | Log4Shell (CVE-2021-44228) | +| 2 | **Third-party Dependency** | Compromised 3rd-party libraries/modules | event-stream malicious injection | +| 3 | **Public Repository** | Malicious packages via npm/PyPI/Maven | Typosquatting attacks | +| 4 | **Build System** | CI/CD pipeline compromise | SolarWinds Orion | +| 5 | **Update Hijacking** | Intercepting legitimate update channels | Kaseya VSA ransomware | +| 6 | **Internal Repository** | Enterprise code repository breach | Codecov credential leak | +| 7 | **Supplier/Partner** | Trusted vendor as attack vector | NotPetya via M.E.Doc | + +--- + +## 2. C-SCRM Framework (NIST SP 800-161r1) + +``` +┌────────────────────────────────────────┐ +│ Level 1 - Enterprise │ +│ C-SCRM strategy, policy, governance │ +├────────────────────────────────────────┤ +│ Level 2 - Mission/Business Process │ +│ Process-specific risk management │ +├────────────────────────────────────────┤ +│ Level 3 - Operational │ +│ System-level SCRM in SDLC │ +└────────────────────────────────────────┘ +``` + +### Supply Chain Participants + +| Role | Responsibilities | +|------|-----------------| +| **Developer** | Secure coding, SBOM generation, vulnerability patching | +| **Supplier** | Security verification, integrity validation, customer notification | +| **Operator** | Security requirements, acceptance testing, lifecycle management | + +--- + +## 3. SBOM (Software Bill of Materials) + +### NTIA Minimum Elements (7 Data Fields) + +| Field | Description | +|-------|-------------| +| Supplier Name | Entity that created/identified the component | +| Timestamp | Date/time of SBOM assembly | +| Author Name | Entity creating the SBOM data | +| Component Name | Name assigned to the SW unit | +| Version String | Version identifier | +| Unique Identifier | Lookup key for component identification | +| Relationship | Dependency relationship (X included in Y) | + +### SBOM Standards + +| Standard | Organization | Focus | International | +|----------|-------------|-------|:------------:| +| SPDX | Linux Foundation | License management | ISO/IEC 5962 | +| CycloneDX | OWASP | Supply chain security | - | +| SWID | NIST/US Commerce | SW asset management | ISO/IEC 19770-2 | + +### NIS-SBOM (Korea, 20 Fields) + +Extended from NTIA 7 fields to 20 fields for Korean government/public sector: +- SBOM Standard, SBOM Type, CycloneDX No, SPDX Doc. ID +- SBOM ID, Product Name/Version, Component Name/Alias/Version +- Component Supplier Name, Hash, Path +- SBOM Author Name, Unique Identifier, Dependency Relationship +- Timestamp, License Name Version, Vul. DB, Vul. Info + +--- + +## 4. Vulnerability Management Flow + +``` +SBOM Generate → CVE Lookup (NVD) → CVSS Scoring → Remediation Plan + │ │ │ │ + SCA tools nvd.nist.gov 0.0~10.0 scale Priority action +``` + +### CVSS Severity Levels + +| Score | Severity | Action | +|:-----:|----------|--------| +| 9.0-10.0 | Critical | Immediate remediation | +| 7.0-8.9 | High | Urgent remediation | +| 4.0-6.9 | Medium | Planned remediation | +| 0.1-3.9 | Low | Monitor | + +--- + +## 5. Regulatory Landscape + +| Country | Regulation | SBOM Requirement | Timeline | +|---------|-----------|------------------|----------| +| USA | EO 14028 + OMB M-22-18 | SBOM submission for federal SW | Active | +| EU | Cyber Resilience Act (CRA) | SBOM for all digital products | 2026 H2 | +| Japan | METI SBOM Roadmap | Industry-specific SBOM adoption | Phased | +| Korea | NIS-SBOM | 20-field SBOM for public sector | In progress | + +--- + +Total assessment items: **29 self-check items** (Design: 5, Development: 11, Supply: 3, Operations: 7, Maintenance: 3) diff --git a/skills/kesekit-guide/scripts/supply-chain/sbom-generate.md b/skills/kesekit-guide/scripts/supply-chain/sbom-generate.md new file mode 100644 index 0000000..285119f --- /dev/null +++ b/skills/kesekit-guide/scripts/supply-chain/sbom-generate.md @@ -0,0 +1,153 @@ +# SBOM Generation Scripts + +> Source: SW 공급망 보안 가이드라인 v1.0 (KISA) +> Checklist refs: SC-03, SC-10, SC-13, SC-14, SC-16 + +--- + +## 1. SBOM Generation with Syft (SC-10, SC-14) + +```bash +# Source code directory scan +syft dir:. -o cyclonedx-json > sbom-cyclonedx.json +syft dir:. -o spdx-json > sbom-spdx.json + +# Container image scan +syft : -o cyclonedx-json > sbom-container.json + +# Specific package manager lockfile +syft file:package-lock.json -o cyclonedx-json > sbom.json +``` + +--- + +## 2. Language-Specific SBOM Tools (SC-10) + +### Node.js (npm/yarn) + +```bash +# CycloneDX npm plugin +npm install -g @cyclonedx/cyclonedx-npm +cyclonedx-npm --output-file sbom.json + +# yarn +npm install -g @cyclonedx/cyclonedx-npm +cyclonedx-npm --package-lock-only --output-file sbom.json +``` + +### Python (pip/poetry) + +```bash +# CycloneDX Python +pip install cyclonedx-bom +cyclonedx-py requirements -i requirements.txt -o sbom.json --format json + +# Poetry +cyclonedx-py poetry -o sbom.json --format json +``` + +### Java (Maven/Gradle) + +```bash +# Maven CycloneDX plugin +mvn org.cyclonedx:cyclonedx-maven-plugin:makeBom + +# Gradle +gradle cyclonedxBom +``` + +### .NET (NuGet) + +```bash +dotnet tool install --global CycloneDX +dotnet CycloneDX .csproj -o sbom.json -j +``` + +### Go + +```bash +# CycloneDX Go module +cyclonedx-gomod mod -json -output sbom.json +``` + +--- + +## 3. SBOM Validation (SC-16, V-1~V-5) + +```bash +# Validate CycloneDX format +npm install -g @cyclonedx/cyclonedx-cli +cyclonedx validate --input-file sbom.json --input-format json + +# Check component count +cat sbom.json | python -c " +import json, sys +data = json.load(sys.stdin) +comps = data.get('components', []) +print(f'Components: {len(comps)}') +for c in comps[:10]: + print(f' {c.get(\"name\", \"?\")}@{c.get(\"version\", \"?\")} [{c.get(\"licenses\", [{}])}]') +" +``` + +--- + +## 4. Cross-Validation with Multiple Tools (V-3) + +```bash +# Generate SBOM with two different tools +syft dir:. -o cyclonedx-json > sbom-syft.json +cyclonedx-npm --output-file sbom-cdx.json + +# Compare component counts +echo "Syft components:" +cat sbom-syft.json | python -c "import json,sys; print(len(json.load(sys.stdin).get('components',[])))" +echo "CycloneDX-npm components:" +cat sbom-cdx.json | python -c "import json,sys; print(len(json.load(sys.stdin).get('components',[])))" +``` + +--- + +## 5. CI/CD Integration (SC-11, SC-13) + +### GitHub Actions + +```yaml +name: SBOM & Security +on: [push, pull_request] +jobs: + sbom: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: Generate SBOM + uses: anchore/sbom-action@v0 + with: + format: cyclonedx-json + output-file: sbom.json + - name: Scan Vulnerabilities + uses: anchore/scan-action@v4 + with: + sbom: sbom.json + fail-build: true + severity-cutoff: high + - name: Archive SBOM + uses: actions/upload-artifact@v4 + with: + name: sbom + path: sbom.json +``` + +### GitLab CI/CD + +```yaml +sbom-scan: + stage: test + image: anchore/syft:latest + script: + - syft dir:. -o cyclonedx-json > sbom.json + - grype sbom:sbom.json --fail-on high + artifacts: + paths: + - sbom.json +``` diff --git a/skills/kesekit-guide/scripts/supply-chain/sbom-vuln-scan.md b/skills/kesekit-guide/scripts/supply-chain/sbom-vuln-scan.md new file mode 100644 index 0000000..c3901dd --- /dev/null +++ b/skills/kesekit-guide/scripts/supply-chain/sbom-vuln-scan.md @@ -0,0 +1,151 @@ +# SBOM Vulnerability Scanning & Remediation + +> Source: SW 공급망 보안 가이드라인 v1.0 (KISA) +> Checklist refs: SC-10, SC-14, SC-15, SC-23, SC-24, SC-27 + +--- + +## 1. Vulnerability Scanning with Grype (SC-14) + +```bash +# Scan from SBOM file +grype sbom:sbom.json + +# Scan with severity threshold (fail on high+) +grype sbom:sbom.json --fail-on high + +# Output as JSON for processing +grype sbom:sbom.json -o json > vuln-report.json + +# Scan source directory directly +grype dir:. --fail-on critical +``` + +--- + +## 2. Package Manager Built-in Audit (SC-10) + +### Node.js + +```bash +# npm audit +npm audit +npm audit --json > npm-audit.json + +# Fix automatically +npm audit fix +npm audit fix --force # including breaking changes +``` + +### Python + +```bash +# pip-audit +pip install pip-audit +pip-audit +pip-audit -f json -o pip-audit.json + +# safety +pip install safety +safety check +``` + +### Java + +```bash +# OWASP Dependency-Check +mvn org.owasp:dependency-check-maven:check +``` + +### .NET + +```bash +dotnet list package --vulnerable +dotnet list package --vulnerable --include-transitive +``` + +### Go + +```bash +# govulncheck +go install golang.org/x/vuln/cmd/govulncheck@latest +govulncheck ./... +``` + +--- + +## 3. NVD/CVE Lookup (SC-15, SC-23) + +```bash +# Search NVD for specific CVE +curl -s "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2021-44228" | python -m json.tool + +# Search by keyword +curl -s "https://services.nvd.nist.gov/rest/json/cves/2.0?keywordSearch=log4j" | python -m json.tool | head -50 + +# Check CISA KEV (Known Exploited Vulnerabilities) +curl -s "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json" | python -c " +import json, sys +data = json.load(sys.stdin) +for v in data['vulnerabilities'][:5]: + print(f\"{v['cveID']} | {v['vendorProject']} | {v['product']} | Due: {v['dueDate']}\") +" +``` + +--- + +## 4. CVSS Severity Assessment (SC-15) + +| CVSS Score | Severity | Required Action | SLA | +|:----------:|----------|----------------|:---:| +| 9.0-10.0 | Critical | Immediate patch/mitigation | 24h | +| 7.0-8.9 | High | Urgent remediation | 7d | +| 4.0-6.9 | Medium | Planned remediation | 30d | +| 0.1-3.9 | Low | Monitor, next release | 90d | + +--- + +## 5. Vulnerability Response Record (SC-24, SC-28) + +| Field | Description | +|-------|-------------| +| CVE ID | Vulnerability identifier (e.g., CVE-2021-44228) | +| Component | Affected component name and version | +| CVSS Score | Severity score (0.0-10.0) | +| KEV Status | Whether listed in CISA KEV | +| Business Impact | Affected services/data/operations | +| EoS Status | End-of-Support status of component | +| Priority | P0 (Critical) / P1 (High) / P2 (Medium) / P3 (Low) | +| Remediation | Patch / Upgrade / Virtual patch / Isolate / Accept risk | +| SLA | Target remediation date | +| Owner | Responsible team and person | +| Verification | Re-scan result, regression test link | +| Status | Planned / In Progress / Completed / Exception (approved) | + +--- + +## 6. License Scanning (SC-19) + +```bash +# License check with Syft + Grype +syft dir:. -o cyclonedx-json | python -c " +import json, sys +data = json.load(sys.stdin) +for c in data.get('components', []): + licenses = c.get('licenses', []) + lic_names = [l.get('license', {}).get('id', 'Unknown') for l in licenses] + print(f\"{c['name']}@{c.get('version','?')} : {', '.join(lic_names) or 'No license'}\") +" + +# Check for copyleft licenses (GPL risk) +syft dir:. -o cyclonedx-json | python -c " +import json, sys +data = json.load(sys.stdin) +copyleft = ['GPL', 'LGPL', 'AGPL', 'MPL'] +for c in data.get('components', []): + for l in c.get('licenses', []): + lid = l.get('license', {}).get('id', '') + if any(cl in lid.upper() for cl in copyleft): + print(f'WARNING: {c[\"name\"]}@{c.get(\"version\",\"?\")} uses {lid}') +" +``` diff --git a/skills/kesekit-guide/templates/supply-chain/overview.md b/skills/kesekit-guide/templates/supply-chain/overview.md new file mode 100644 index 0000000..db49683 --- /dev/null +++ b/skills/kesekit-guide/templates/supply-chain/overview.md @@ -0,0 +1,47 @@ +# SW Supply Chain Security Assessment Overview + +> Domain: SW Supply Chain Security (6 categories, 29 items) +> Source: SW 공급망 보안 가이드라인 v1.0 (국정원·과기정통부·KISA, 2024.05) +> Standards: NIST SP 800-161r1, NIST SP 800-218, NTIA SBOM + +--- + +## Assessment Categories + +| # | Category | Items | Scope | +|---|----------|:-----:|-------| +| 1 | Design Phase | 5 | Roles, training, SBOM planning, environment, security specs | +| 2 | Development Phase | 11 | Secure coding, libraries, build security, SBOM management | +| 3 | Supply/Distribution Phase | 3 | Integrity, archival, SBOM delivery | +| 4 | Deployment & Operations Phase | 7 | Requirements, verification, monitoring, SBOM review | +| 5 | Maintenance Phase | 3 | Updates, history, SBOM refresh | +| **Total** | | **29** | | + +## Judgment Criteria + +| Result | Condition | +|--------|-----------| +| **Pass** | Item requirement fully met with evidence | +| **Partial** | Partially implemented or missing documentation | +| **Fail** | Not implemented or no evidence | +| **N/A** | Not applicable to this environment | + +## Severity Classification + +| Severity | Description | Items | +|----------|-------------|:-----:| +| **Critical** | SBOM not generated, no vulnerability scanning | SC-10, SC-14, SC-15 | +| **High** | No integrity verification, no access control | SC-07, SC-08, SC-09, SC-17, SC-22 | +| **Medium** | Missing training, incomplete documentation | SC-02, SC-05, SC-13, SC-16 | +| **Low** | Process improvement opportunities | SC-01, SC-03, SC-04 | + +## Assessment Scope Detection + +| Context | Indicators | +|---------|-----------| +| SBOM Required | npm/pip/maven project, government/public sector delivery | +| Supply Chain Risk | External libraries, OSS components, 3rd-party dependencies | +| Regulatory | US federal SW, EU digital product, Korean public sector | +| Vibe Coding | AI-generated code with auto-imported dependencies | + +Load `templates/supply-chain/sbom-checklist.md` for the full 29-item assessment. diff --git a/skills/kesekit-guide/templates/supply-chain/sbom-checklist.md b/skills/kesekit-guide/templates/supply-chain/sbom-checklist.md new file mode 100644 index 0000000..95458cd --- /dev/null +++ b/skills/kesekit-guide/templates/supply-chain/sbom-checklist.md @@ -0,0 +1,93 @@ +# SW Supply Chain Security Self-Assessment Checklist + +> Source: SW 공급망 보안 가이드라인 v1.0 (국정원·과기정통부·KISA, 2024.05) +> Standards: NIST SP 800-161r1, NIST SP 800-218 +> Total: 29 items (Design 5 + Development 11 + Supply 3 + Operations 7 + Maintenance 3) + +--- + +## 1. Design Phase (5 items) + +| ID | Item | Detail | Severity | +|----|------|--------|----------| +| SC-01 | Roles & responsibilities for secure development defined | Organization notice with security roles and responsibilities | Low | +| SC-02 | Security training provided to developers | Supply chain security, secure coding training records | Medium | +| SC-03 | Supply chain security considered in design | Configuration management, SBOM generation & management plan | Low | +| SC-04 | Development environment security managed | OS/antivirus update status on dev endpoints | Low | +| SC-05 | Key security items identified and documented | Data protection level, encryption, authentication, access control specs | Medium | + +--- + +## 2. Development Phase (11 items) + +| ID | Item | Detail | Severity | +|----|------|--------|----------| +| SC-06 | Secure coding practices followed | Secure coding verification during source/build | Medium | +| SC-07 | Default security settings reviewed before deployment | SSL, access permissions, repository encryption enabled | High | +| SC-08 | External library security verified on import | Malware/integrity check for external libraries | High | +| SC-09 | Internal repository access restricted to authorized users | Source code management system access control | High | +| SC-10 | OSS and internal code continuously scanned for vulnerabilities | Vulnerability scan logs available | **Critical** | +| SC-11 | Automated security tests in build process | CI/CD pipeline includes security testing | Medium | +| SC-12 | Compiler/interpreter security options enabled | Build options with security features activated | Medium | +| SC-13 | Build artifacts preserved | Executables, compile logs, SBOM, test results archived | Medium | +| SC-14 | SBOM component vulnerabilities checked | Vulnerability identification from SBOM results | **Critical** | +| SC-15 | Severe vulnerabilities have validation process | CVSS 7.0+ components verified for exploitability | **Critical** | +| SC-16 | SBOM creation history maintained | SBOM generation records retained | Medium | + +--- + +## 3. Supply/Distribution Phase (3 items) + +| ID | Item | Detail | Severity | +|----|------|--------|----------| +| SC-17 | SW integrity verification data provided | Code signing, hash values delivered | High | +| SC-18 | Source code, libraries, OSS info securely archived | Secure storage of source materials | Medium | +| SC-19 | SBOM, vulnerability, license info shared with customer | SBOM utilization for transparency | Medium | + +--- + +## 4. Deployment & Operations Phase (7 items) + +| ID | Item | Detail | Severity | +|----|------|--------|----------| +| SC-20 | Supply chain security requirements manual exists | SBOM provision, vulnerability remediation, update requirements | Medium | +| SC-21 | Security requirements verified at contract | Compliance confirmation | Medium | +| SC-22 | SW integrity verified via code signing/hash | Code signature and hash validation | High | +| SC-23 | CVE monitoring for deployed SW | Known vulnerability alerts monitored | High | +| SC-24 | Severe vulnerability response process exists | Remediation request procedure to supplier | High | +| SC-25 | SBOM received for externally developed SW | SBOM review for outsourced SW | Medium | +| SC-26 | External code scanned for vulnerabilities | Security vulnerability check for outsourced code | High | + +--- + +## 5. Maintenance Phase (3 items) + +| ID | Item | Detail | Severity | +|----|------|--------|----------| +| SC-27 | Security updates regularly checked | Patch application status | High | +| SC-28 | Vulnerability remediation history maintained | Remediation action documentation | Medium | +| SC-29 | SBOM regularly updated | SBOM refreshed on SW changes | Medium | + +--- + +## Scoring + +| Pass Rate | Result | +|:---------:|--------| +| >= 80% | **PASS** - Supply chain security posture adequate | +| 60-79% | **CONDITIONAL** - Remediation plan required | +| < 60% | **FAIL** - Deployment blocked, critical gaps | + +Critical items (SC-10, SC-14, SC-15) must ALL pass regardless of overall score. + +--- + +## SBOM Validity Verification Checklist + +| # | Check | Description | +|---|-------|-------------| +| V-1 | Developer confirmation | Compare SBOM data with actual product info (language, framework, OSS) | +| V-2 | Completeness check | Verify no missing fields per CycloneDX/SPDX standard | +| V-3 | Cross-validation | Compare results from 2+ SBOM tools | +| V-4 | Source vs Binary | Compare source-based and binary-based SBOM results | +| V-5 | Hidden components | Check for undiscovered OSS components post-installation | diff --git a/skills/kesekit-start/SKILL.md b/skills/kesekit-start/SKILL.md index 5ef24c5..6e83292 100644 --- a/skills/kesekit-start/SKILL.md +++ b/skills/kesekit-start/SKILL.md @@ -1,6 +1,6 @@ --- name: kesekit-start -description: Run a security vulnerability assessment based on KISA guidelines. Supports CII (560+ items), AI Security Guide, Robot Security (103 items), Space Security (satellite/GSaaS/supply chain, 12 domains, 53 items), and Zero Trust (~396 items). Use when "security assessment", "vulnerability scan", "CII audit", "KISA assessment", "AI security", "robot security", "space security", "satellite security", "GSaaS security", "zero trust", "ZTA", "ZTNA". +description: Run a security vulnerability assessment based on KISA guidelines. Supports CII (560+ items), AI Security Guide, Robot Security (103 items), Space Security (satellite/GSaaS/supply chain, 12 domains, 53 items), Secure Coding (46 CWE), Zero Trust (~396 items), and SW Supply Chain Security (SBOM, 29 items). Use when "security assessment", "vulnerability scan", "CII audit", "KISA assessment", "AI security", "robot security", "space security", "satellite security", "GSaaS security", "zero trust", "ZTA", "ZTNA", "supply chain", "SBOM", "공급망", "C-SCRM". --- # KESE Security Vulnerability Assessment @@ -17,6 +17,7 @@ Perform comprehensive security vulnerability assessment based on KISA guidelines | 4 | **Space Security** | Satellite/GSaaS/Supply chain checklist (12 domains) | 53 | | 5 | **Secure Coding** | JavaScript/Python secure coding (7 categories, 46 CWE) | 46 | | 6 | **Zero Trust** | Zero Trust maturity assessment (8 elements, 4 maturity levels) | ~396 | +| 7 | **SW Supply Chain** | SBOM-based supply chain security (5 phases, 29 items) | 29 | ### Auto-detection - Servers, networks, databases, web services, firewalls → **CII** @@ -25,6 +26,7 @@ Perform comprehensive security vulnerability assessment based on KISA guidelines - Satellites, ground stations, GSaaS, space systems, GNSS, VSAT, LEO constellation, space supply chain → **Space Security** - JavaScript, Python, web application code, secure coding, CWE, OWASP → **Secure Coding** - Zero Trust, ZTA, ZTNA, 제로트러스트, 마이크로세그멘테이션, microsegmentation, SDP, SASE, PEP/PDP, never trust always verify → **Zero Trust** +- SBOM, supply chain, 공급망, C-SCRM, SCA, CycloneDX, SPDX, npm audit, pip-audit, software bill of materials, 소프트웨어 공급망 → **SW Supply Chain** --- @@ -154,6 +156,30 @@ Read from `references/zero-trust/` for overview and maturity model, and `templat --- +## SW Supply Chain Branch + +Read from `references/supply-chain/` for overview and threat scenarios, and `templates/supply-chain/` for assessment checklists. Use `scripts/supply-chain/` for SBOM generation and vulnerability scanning commands. + +| Topic | Reference File | +|-------|---------------| +| Overview (C-SCRM, SBOM, Regulations) | `references/supply-chain/overview.md` | +| Assessment Overview (6 categories) | `templates/supply-chain/overview.md` | +| Self-Assessment Checklist (29 items) | `templates/supply-chain/sbom-checklist.md` | +| SBOM Generation Scripts | `scripts/supply-chain/sbom-generate.md` | +| Vulnerability Scanning Scripts | `scripts/supply-chain/sbom-vuln-scan.md` | + +5 phases: Design (5) → Development (11) → Supply (3) → Operations (7) → Maintenance (3). Standards: NIST SP 800-161r1 (C-SCRM), NIST SP 800-218 (SSDF), NTIA SBOM, NIS-SBOM. + +### Assessment Flow +1. Start with `references/supply-chain/overview.md` for context +2. Load `templates/supply-chain/sbom-checklist.md` for the 29-item checklist +3. Assess each phase (Design → Development → Supply → Operations → Maintenance) +4. Critical items (SC-10, SC-14, SC-15) must ALL pass +5. Use `scripts/supply-chain/sbom-generate.md` for SBOM creation commands +6. Use `scripts/supply-chain/sbom-vuln-scan.md` for vulnerability scanning + +--- + ## Notes - Do not modify files during assessment — read-only - Mark N/A for technologies not present diff --git a/skills/kesekit-start/references/supply-chain/overview.md b/skills/kesekit-start/references/supply-chain/overview.md new file mode 100644 index 0000000..fadab04 --- /dev/null +++ b/skills/kesekit-start/references/supply-chain/overview.md @@ -0,0 +1,111 @@ +# SW Supply Chain Security Overview + +> Source: SW 공급망 보안 가이드라인 v1.0 (2024.05, 국가정보원·과기정통부·디플정위·KISA) +> Domain: SW Supply Chain Risk Management, SBOM-based Security +> Standards: NIST SP 800-161r1 (C-SCRM), NIST SP 800-218 (SSDF), NTIA SBOM Minimum Elements + +--- + +## 1. Supply Chain Attack Types (7 Categories) + +| # | Attack Type | Description | Example | +|---|------------|-------------|---------| +| 1 | **Open Source Vulnerability** | Exploiting known CVEs in widely used OSS | Log4Shell (CVE-2021-44228) | +| 2 | **Third-party Dependency** | Compromised 3rd-party libraries/modules | event-stream malicious injection | +| 3 | **Public Repository** | Malicious packages via npm/PyPI/Maven | Typosquatting attacks | +| 4 | **Build System** | CI/CD pipeline compromise | SolarWinds Orion | +| 5 | **Update Hijacking** | Intercepting legitimate update channels | Kaseya VSA ransomware | +| 6 | **Internal Repository** | Enterprise code repository breach | Codecov credential leak | +| 7 | **Supplier/Partner** | Trusted vendor as attack vector | NotPetya via M.E.Doc | + +--- + +## 2. C-SCRM Framework (NIST SP 800-161r1) + +``` +┌────────────────────────────────────────┐ +│ Level 1 - Enterprise │ +│ C-SCRM strategy, policy, governance │ +├────────────────────────────────────────┤ +│ Level 2 - Mission/Business Process │ +│ Process-specific risk management │ +├────────────────────────────────────────┤ +│ Level 3 - Operational │ +│ System-level SCRM in SDLC │ +└────────────────────────────────────────┘ +``` + +### Supply Chain Participants + +| Role | Responsibilities | +|------|-----------------| +| **Developer** | Secure coding, SBOM generation, vulnerability patching | +| **Supplier** | Security verification, integrity validation, customer notification | +| **Operator** | Security requirements, acceptance testing, lifecycle management | + +--- + +## 3. SBOM (Software Bill of Materials) + +### NTIA Minimum Elements (7 Data Fields) + +| Field | Description | +|-------|-------------| +| Supplier Name | Entity that created/identified the component | +| Timestamp | Date/time of SBOM assembly | +| Author Name | Entity creating the SBOM data | +| Component Name | Name assigned to the SW unit | +| Version String | Version identifier | +| Unique Identifier | Lookup key for component identification | +| Relationship | Dependency relationship (X included in Y) | + +### SBOM Standards + +| Standard | Organization | Focus | International | +|----------|-------------|-------|:------------:| +| SPDX | Linux Foundation | License management | ISO/IEC 5962 | +| CycloneDX | OWASP | Supply chain security | - | +| SWID | NIST/US Commerce | SW asset management | ISO/IEC 19770-2 | + +### NIS-SBOM (Korea, 20 Fields) + +Extended from NTIA 7 fields to 20 fields for Korean government/public sector: +- SBOM Standard, SBOM Type, CycloneDX No, SPDX Doc. ID +- SBOM ID, Product Name/Version, Component Name/Alias/Version +- Component Supplier Name, Hash, Path +- SBOM Author Name, Unique Identifier, Dependency Relationship +- Timestamp, License Name Version, Vul. DB, Vul. Info + +--- + +## 4. Vulnerability Management Flow + +``` +SBOM Generate → CVE Lookup (NVD) → CVSS Scoring → Remediation Plan + │ │ │ │ + SCA tools nvd.nist.gov 0.0~10.0 scale Priority action +``` + +### CVSS Severity Levels + +| Score | Severity | Action | +|:-----:|----------|--------| +| 9.0-10.0 | Critical | Immediate remediation | +| 7.0-8.9 | High | Urgent remediation | +| 4.0-6.9 | Medium | Planned remediation | +| 0.1-3.9 | Low | Monitor | + +--- + +## 5. Regulatory Landscape + +| Country | Regulation | SBOM Requirement | Timeline | +|---------|-----------|------------------|----------| +| USA | EO 14028 + OMB M-22-18 | SBOM submission for federal SW | Active | +| EU | Cyber Resilience Act (CRA) | SBOM for all digital products | 2026 H2 | +| Japan | METI SBOM Roadmap | Industry-specific SBOM adoption | Phased | +| Korea | NIS-SBOM | 20-field SBOM for public sector | In progress | + +--- + +Total assessment items: **29 self-check items** (Design: 5, Development: 11, Supply: 3, Operations: 7, Maintenance: 3) diff --git a/skills/kesekit-start/scripts/supply-chain/sbom-generate.md b/skills/kesekit-start/scripts/supply-chain/sbom-generate.md new file mode 100644 index 0000000..285119f --- /dev/null +++ b/skills/kesekit-start/scripts/supply-chain/sbom-generate.md @@ -0,0 +1,153 @@ +# SBOM Generation Scripts + +> Source: SW 공급망 보안 가이드라인 v1.0 (KISA) +> Checklist refs: SC-03, SC-10, SC-13, SC-14, SC-16 + +--- + +## 1. SBOM Generation with Syft (SC-10, SC-14) + +```bash +# Source code directory scan +syft dir:. -o cyclonedx-json > sbom-cyclonedx.json +syft dir:. -o spdx-json > sbom-spdx.json + +# Container image scan +syft : -o cyclonedx-json > sbom-container.json + +# Specific package manager lockfile +syft file:package-lock.json -o cyclonedx-json > sbom.json +``` + +--- + +## 2. Language-Specific SBOM Tools (SC-10) + +### Node.js (npm/yarn) + +```bash +# CycloneDX npm plugin +npm install -g @cyclonedx/cyclonedx-npm +cyclonedx-npm --output-file sbom.json + +# yarn +npm install -g @cyclonedx/cyclonedx-npm +cyclonedx-npm --package-lock-only --output-file sbom.json +``` + +### Python (pip/poetry) + +```bash +# CycloneDX Python +pip install cyclonedx-bom +cyclonedx-py requirements -i requirements.txt -o sbom.json --format json + +# Poetry +cyclonedx-py poetry -o sbom.json --format json +``` + +### Java (Maven/Gradle) + +```bash +# Maven CycloneDX plugin +mvn org.cyclonedx:cyclonedx-maven-plugin:makeBom + +# Gradle +gradle cyclonedxBom +``` + +### .NET (NuGet) + +```bash +dotnet tool install --global CycloneDX +dotnet CycloneDX .csproj -o sbom.json -j +``` + +### Go + +```bash +# CycloneDX Go module +cyclonedx-gomod mod -json -output sbom.json +``` + +--- + +## 3. SBOM Validation (SC-16, V-1~V-5) + +```bash +# Validate CycloneDX format +npm install -g @cyclonedx/cyclonedx-cli +cyclonedx validate --input-file sbom.json --input-format json + +# Check component count +cat sbom.json | python -c " +import json, sys +data = json.load(sys.stdin) +comps = data.get('components', []) +print(f'Components: {len(comps)}') +for c in comps[:10]: + print(f' {c.get(\"name\", \"?\")}@{c.get(\"version\", \"?\")} [{c.get(\"licenses\", [{}])}]') +" +``` + +--- + +## 4. Cross-Validation with Multiple Tools (V-3) + +```bash +# Generate SBOM with two different tools +syft dir:. -o cyclonedx-json > sbom-syft.json +cyclonedx-npm --output-file sbom-cdx.json + +# Compare component counts +echo "Syft components:" +cat sbom-syft.json | python -c "import json,sys; print(len(json.load(sys.stdin).get('components',[])))" +echo "CycloneDX-npm components:" +cat sbom-cdx.json | python -c "import json,sys; print(len(json.load(sys.stdin).get('components',[])))" +``` + +--- + +## 5. CI/CD Integration (SC-11, SC-13) + +### GitHub Actions + +```yaml +name: SBOM & Security +on: [push, pull_request] +jobs: + sbom: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: Generate SBOM + uses: anchore/sbom-action@v0 + with: + format: cyclonedx-json + output-file: sbom.json + - name: Scan Vulnerabilities + uses: anchore/scan-action@v4 + with: + sbom: sbom.json + fail-build: true + severity-cutoff: high + - name: Archive SBOM + uses: actions/upload-artifact@v4 + with: + name: sbom + path: sbom.json +``` + +### GitLab CI/CD + +```yaml +sbom-scan: + stage: test + image: anchore/syft:latest + script: + - syft dir:. -o cyclonedx-json > sbom.json + - grype sbom:sbom.json --fail-on high + artifacts: + paths: + - sbom.json +``` diff --git a/skills/kesekit-start/scripts/supply-chain/sbom-vuln-scan.md b/skills/kesekit-start/scripts/supply-chain/sbom-vuln-scan.md new file mode 100644 index 0000000..c3901dd --- /dev/null +++ b/skills/kesekit-start/scripts/supply-chain/sbom-vuln-scan.md @@ -0,0 +1,151 @@ +# SBOM Vulnerability Scanning & Remediation + +> Source: SW 공급망 보안 가이드라인 v1.0 (KISA) +> Checklist refs: SC-10, SC-14, SC-15, SC-23, SC-24, SC-27 + +--- + +## 1. Vulnerability Scanning with Grype (SC-14) + +```bash +# Scan from SBOM file +grype sbom:sbom.json + +# Scan with severity threshold (fail on high+) +grype sbom:sbom.json --fail-on high + +# Output as JSON for processing +grype sbom:sbom.json -o json > vuln-report.json + +# Scan source directory directly +grype dir:. --fail-on critical +``` + +--- + +## 2. Package Manager Built-in Audit (SC-10) + +### Node.js + +```bash +# npm audit +npm audit +npm audit --json > npm-audit.json + +# Fix automatically +npm audit fix +npm audit fix --force # including breaking changes +``` + +### Python + +```bash +# pip-audit +pip install pip-audit +pip-audit +pip-audit -f json -o pip-audit.json + +# safety +pip install safety +safety check +``` + +### Java + +```bash +# OWASP Dependency-Check +mvn org.owasp:dependency-check-maven:check +``` + +### .NET + +```bash +dotnet list package --vulnerable +dotnet list package --vulnerable --include-transitive +``` + +### Go + +```bash +# govulncheck +go install golang.org/x/vuln/cmd/govulncheck@latest +govulncheck ./... +``` + +--- + +## 3. NVD/CVE Lookup (SC-15, SC-23) + +```bash +# Search NVD for specific CVE +curl -s "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2021-44228" | python -m json.tool + +# Search by keyword +curl -s "https://services.nvd.nist.gov/rest/json/cves/2.0?keywordSearch=log4j" | python -m json.tool | head -50 + +# Check CISA KEV (Known Exploited Vulnerabilities) +curl -s "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json" | python -c " +import json, sys +data = json.load(sys.stdin) +for v in data['vulnerabilities'][:5]: + print(f\"{v['cveID']} | {v['vendorProject']} | {v['product']} | Due: {v['dueDate']}\") +" +``` + +--- + +## 4. CVSS Severity Assessment (SC-15) + +| CVSS Score | Severity | Required Action | SLA | +|:----------:|----------|----------------|:---:| +| 9.0-10.0 | Critical | Immediate patch/mitigation | 24h | +| 7.0-8.9 | High | Urgent remediation | 7d | +| 4.0-6.9 | Medium | Planned remediation | 30d | +| 0.1-3.9 | Low | Monitor, next release | 90d | + +--- + +## 5. Vulnerability Response Record (SC-24, SC-28) + +| Field | Description | +|-------|-------------| +| CVE ID | Vulnerability identifier (e.g., CVE-2021-44228) | +| Component | Affected component name and version | +| CVSS Score | Severity score (0.0-10.0) | +| KEV Status | Whether listed in CISA KEV | +| Business Impact | Affected services/data/operations | +| EoS Status | End-of-Support status of component | +| Priority | P0 (Critical) / P1 (High) / P2 (Medium) / P3 (Low) | +| Remediation | Patch / Upgrade / Virtual patch / Isolate / Accept risk | +| SLA | Target remediation date | +| Owner | Responsible team and person | +| Verification | Re-scan result, regression test link | +| Status | Planned / In Progress / Completed / Exception (approved) | + +--- + +## 6. License Scanning (SC-19) + +```bash +# License check with Syft + Grype +syft dir:. -o cyclonedx-json | python -c " +import json, sys +data = json.load(sys.stdin) +for c in data.get('components', []): + licenses = c.get('licenses', []) + lic_names = [l.get('license', {}).get('id', 'Unknown') for l in licenses] + print(f\"{c['name']}@{c.get('version','?')} : {', '.join(lic_names) or 'No license'}\") +" + +# Check for copyleft licenses (GPL risk) +syft dir:. -o cyclonedx-json | python -c " +import json, sys +data = json.load(sys.stdin) +copyleft = ['GPL', 'LGPL', 'AGPL', 'MPL'] +for c in data.get('components', []): + for l in c.get('licenses', []): + lid = l.get('license', {}).get('id', '') + if any(cl in lid.upper() for cl in copyleft): + print(f'WARNING: {c[\"name\"]}@{c.get(\"version\",\"?\")} uses {lid}') +" +``` diff --git a/skills/kesekit-start/templates/supply-chain/overview.md b/skills/kesekit-start/templates/supply-chain/overview.md new file mode 100644 index 0000000..db49683 --- /dev/null +++ b/skills/kesekit-start/templates/supply-chain/overview.md @@ -0,0 +1,47 @@ +# SW Supply Chain Security Assessment Overview + +> Domain: SW Supply Chain Security (6 categories, 29 items) +> Source: SW 공급망 보안 가이드라인 v1.0 (국정원·과기정통부·KISA, 2024.05) +> Standards: NIST SP 800-161r1, NIST SP 800-218, NTIA SBOM + +--- + +## Assessment Categories + +| # | Category | Items | Scope | +|---|----------|:-----:|-------| +| 1 | Design Phase | 5 | Roles, training, SBOM planning, environment, security specs | +| 2 | Development Phase | 11 | Secure coding, libraries, build security, SBOM management | +| 3 | Supply/Distribution Phase | 3 | Integrity, archival, SBOM delivery | +| 4 | Deployment & Operations Phase | 7 | Requirements, verification, monitoring, SBOM review | +| 5 | Maintenance Phase | 3 | Updates, history, SBOM refresh | +| **Total** | | **29** | | + +## Judgment Criteria + +| Result | Condition | +|--------|-----------| +| **Pass** | Item requirement fully met with evidence | +| **Partial** | Partially implemented or missing documentation | +| **Fail** | Not implemented or no evidence | +| **N/A** | Not applicable to this environment | + +## Severity Classification + +| Severity | Description | Items | +|----------|-------------|:-----:| +| **Critical** | SBOM not generated, no vulnerability scanning | SC-10, SC-14, SC-15 | +| **High** | No integrity verification, no access control | SC-07, SC-08, SC-09, SC-17, SC-22 | +| **Medium** | Missing training, incomplete documentation | SC-02, SC-05, SC-13, SC-16 | +| **Low** | Process improvement opportunities | SC-01, SC-03, SC-04 | + +## Assessment Scope Detection + +| Context | Indicators | +|---------|-----------| +| SBOM Required | npm/pip/maven project, government/public sector delivery | +| Supply Chain Risk | External libraries, OSS components, 3rd-party dependencies | +| Regulatory | US federal SW, EU digital product, Korean public sector | +| Vibe Coding | AI-generated code with auto-imported dependencies | + +Load `templates/supply-chain/sbom-checklist.md` for the full 29-item assessment. diff --git a/skills/kesekit-start/templates/supply-chain/sbom-checklist.md b/skills/kesekit-start/templates/supply-chain/sbom-checklist.md new file mode 100644 index 0000000..95458cd --- /dev/null +++ b/skills/kesekit-start/templates/supply-chain/sbom-checklist.md @@ -0,0 +1,93 @@ +# SW Supply Chain Security Self-Assessment Checklist + +> Source: SW 공급망 보안 가이드라인 v1.0 (국정원·과기정통부·KISA, 2024.05) +> Standards: NIST SP 800-161r1, NIST SP 800-218 +> Total: 29 items (Design 5 + Development 11 + Supply 3 + Operations 7 + Maintenance 3) + +--- + +## 1. Design Phase (5 items) + +| ID | Item | Detail | Severity | +|----|------|--------|----------| +| SC-01 | Roles & responsibilities for secure development defined | Organization notice with security roles and responsibilities | Low | +| SC-02 | Security training provided to developers | Supply chain security, secure coding training records | Medium | +| SC-03 | Supply chain security considered in design | Configuration management, SBOM generation & management plan | Low | +| SC-04 | Development environment security managed | OS/antivirus update status on dev endpoints | Low | +| SC-05 | Key security items identified and documented | Data protection level, encryption, authentication, access control specs | Medium | + +--- + +## 2. Development Phase (11 items) + +| ID | Item | Detail | Severity | +|----|------|--------|----------| +| SC-06 | Secure coding practices followed | Secure coding verification during source/build | Medium | +| SC-07 | Default security settings reviewed before deployment | SSL, access permissions, repository encryption enabled | High | +| SC-08 | External library security verified on import | Malware/integrity check for external libraries | High | +| SC-09 | Internal repository access restricted to authorized users | Source code management system access control | High | +| SC-10 | OSS and internal code continuously scanned for vulnerabilities | Vulnerability scan logs available | **Critical** | +| SC-11 | Automated security tests in build process | CI/CD pipeline includes security testing | Medium | +| SC-12 | Compiler/interpreter security options enabled | Build options with security features activated | Medium | +| SC-13 | Build artifacts preserved | Executables, compile logs, SBOM, test results archived | Medium | +| SC-14 | SBOM component vulnerabilities checked | Vulnerability identification from SBOM results | **Critical** | +| SC-15 | Severe vulnerabilities have validation process | CVSS 7.0+ components verified for exploitability | **Critical** | +| SC-16 | SBOM creation history maintained | SBOM generation records retained | Medium | + +--- + +## 3. Supply/Distribution Phase (3 items) + +| ID | Item | Detail | Severity | +|----|------|--------|----------| +| SC-17 | SW integrity verification data provided | Code signing, hash values delivered | High | +| SC-18 | Source code, libraries, OSS info securely archived | Secure storage of source materials | Medium | +| SC-19 | SBOM, vulnerability, license info shared with customer | SBOM utilization for transparency | Medium | + +--- + +## 4. Deployment & Operations Phase (7 items) + +| ID | Item | Detail | Severity | +|----|------|--------|----------| +| SC-20 | Supply chain security requirements manual exists | SBOM provision, vulnerability remediation, update requirements | Medium | +| SC-21 | Security requirements verified at contract | Compliance confirmation | Medium | +| SC-22 | SW integrity verified via code signing/hash | Code signature and hash validation | High | +| SC-23 | CVE monitoring for deployed SW | Known vulnerability alerts monitored | High | +| SC-24 | Severe vulnerability response process exists | Remediation request procedure to supplier | High | +| SC-25 | SBOM received for externally developed SW | SBOM review for outsourced SW | Medium | +| SC-26 | External code scanned for vulnerabilities | Security vulnerability check for outsourced code | High | + +--- + +## 5. Maintenance Phase (3 items) + +| ID | Item | Detail | Severity | +|----|------|--------|----------| +| SC-27 | Security updates regularly checked | Patch application status | High | +| SC-28 | Vulnerability remediation history maintained | Remediation action documentation | Medium | +| SC-29 | SBOM regularly updated | SBOM refreshed on SW changes | Medium | + +--- + +## Scoring + +| Pass Rate | Result | +|:---------:|--------| +| >= 80% | **PASS** - Supply chain security posture adequate | +| 60-79% | **CONDITIONAL** - Remediation plan required | +| < 60% | **FAIL** - Deployment blocked, critical gaps | + +Critical items (SC-10, SC-14, SC-15) must ALL pass regardless of overall score. + +--- + +## SBOM Validity Verification Checklist + +| # | Check | Description | +|---|-------|-------------| +| V-1 | Developer confirmation | Compare SBOM data with actual product info (language, framework, OSS) | +| V-2 | Completeness check | Verify no missing fields per CycloneDX/SPDX standard | +| V-3 | Cross-validation | Compare results from 2+ SBOM tools | +| V-4 | Source vs Binary | Compare source-based and binary-based SBOM results | +| V-5 | Hidden components | Check for undiscovered OSS components post-installation | diff --git "a/\353\254\270\354\204\234/240513-(\354\232\224\354\225\275\353\263\270)_SW_\352\263\265\352\270\211\353\247\235_\353\263\264\354\225\210_\352\260\200\354\235\264\353\223\234\353\235\274\354\235\270.pdf" "b/\353\254\270\354\204\234/240513-(\354\232\224\354\225\275\353\263\270)_SW_\352\263\265\352\270\211\353\247\235_\353\263\264\354\225\210_\352\260\200\354\235\264\353\223\234\353\235\274\354\235\270.pdf" new file mode 100644 index 0000000..8b80ae4 Binary files /dev/null and "b/\353\254\270\354\204\234/240513-(\354\232\224\354\225\275\353\263\270)_SW_\352\263\265\352\270\211\353\247\235_\353\263\264\354\225\210_\352\260\200\354\235\264\353\223\234\353\235\274\354\235\270.pdf" differ diff --git "a/\353\254\270\354\204\234/240525-(\354\240\204\354\262\264\353\263\270)_SW_\352\263\265\352\270\211\353\247\235_\353\263\264\354\225\210_\352\260\200\354\235\264\353\223\234\353\235\274\354\235\270_\354\265\234\354\242\205 \354\210\230\354\240\225\353\263\270.pdf" "b/\353\254\270\354\204\234/240525-(\354\240\204\354\262\264\353\263\270)_SW_\352\263\265\352\270\211\353\247\235_\353\263\264\354\225\210_\352\260\200\354\235\264\353\223\234\353\235\274\354\235\270_\354\265\234\354\242\205 \354\210\230\354\240\225\353\263\270.pdf" new file mode 100644 index 0000000..6e4cad6 Binary files /dev/null and "b/\353\254\270\354\204\234/240525-(\354\240\204\354\262\264\353\263\270)_SW_\352\263\265\352\270\211\353\247\235_\353\263\264\354\225\210_\352\260\200\354\235\264\353\223\234\353\235\274\354\235\270_\354\265\234\354\242\205 \354\210\230\354\240\225\353\263\270.pdf" differ