OWASP Software Component Verification Standard

The Software Component Verification Standard (SCVS) is a community-driven effort toestablish a framework for identifying activities, controls, and best practices, which can help in identifying andreducing risk in a software supply chain.

Managing risk in the software supply chain is important to reduce the surface area of systems vulnerable to exploits,and to measure technical debt as a barrier to remediation.

Measuring and improving software supply chain assurance is crucial for success. Organizations with supply chain visibilityare better equipped to protect their brand, increase trust, reduce time-to-market, and manage costs in the event of asupply chain incident.

Raising the bar for supply chain assurance requires the active participation ofrisk managers, mission owners, and business units like legal and procurement, which have not traditionally been involvedwith technical implementation.

Determination of risk acceptance criteria is not a problem that can be solved by enterprise tooling: it is up to riskmanagers and business decision makers to evaluate the advantages and trade-offs of security measures based on systemexposure, regulatory requirements, and constrained financial and human resources. Mandates that are internallyunachievable, or that bring development or procurement to a standstill, constitute their own security and institutionalrisks.

SCVS is designed to be implemented incrementally, and to allow organizations tophase in controls at different levels over time.

SCVS has the following goals:

  • Develop a common set of activities, controls, and best-practices that can reduce risk in a software supply chain
  • Identify a baseline and path to mature software supply chain vigilance

Availability

SCVS is available (in English) as PDF, Word (docx), JSON, or XML. These artifacts can be found in the projectsGitHub releases. It can also beread online.

Translations

The project maintainers are actively looking for volunteers to translate SCVS into a number of languages. Please reach out on the projects Slack channel or on GitHub if interested.

News

  • 2022/10/31 - Website launched -https://scvs.owasp.org
  • 2020/6/25 - v1.0 released
  • 2020/4/16 - Initial preview release v1.0.0-RC.1
  • 2019/8/28 - Project Launched

Acknowledgements

The Software Component Verification Standard is built upon the shoulders of those involved. If credit is missingfrom the list, please contact[email protected] or log a ticket at GitHub to be recognized.

Authors

  • Steve Springett
  • JC Herz
  • Mark Symons

Contributors

  • Dave Russo
  • Garret Fick
  • John Scott
  • Pruthvi Nallapareddy
  • Bryan Garcia
WatchStar
The OWASP® Foundation works to improve the security of software through its community-led open source software projects, hundreds of chapters worldwide, tens of thousands of members, and by hosting local and global conferences.

Information

  • Labs Project
  • Documentation
  • Builder
  • Defender

Get SCVS

External Resources

Licensing

Creative Commons Attribution ShareAlike 4.0 license

Leaders

Upcoming OWASP Global Events