Practical patterns for software intake, approval, inventory reconciliation, and ongoing oversight, using mostly open-source tooling. Built for teams that need a defensible workflow without buying a new platform first.
This repository is a companion to appsec-prodsec-reference: that repo skews toward software you build; this one skews toward software you bring in (installers, extensions, drivers, agents, images, IdP-registered SaaS clients, and similar).
Start here: DISCLAIMER.md
In short:
- This is independent reference material and a personal project - not an employer playbook, not a warranty, and not legal or compliance advice.
- Nothing is guaranteed. You use documents and tools at your own risk; the author disclaims liability to the extent permitted by law.
- Not one-size-fits-all. Adapt every workflow, field, and script to your sector, regulators, and internal approvals.
- Get management and control-owner sign-off (Security, Risk, Legal, Procurement, and others as applicable) before you treat any of this as binding.
If any of the above is a problem for you, do not use this repository.
| If you want to... | Go to |
|---|---|
| Understand scope, limits, and philosophy | Overview and scope |
| Stand up policy / standard / procedure language | Governance: policy, standard, procedure |
| Design intake forms and risk tiers | Intake and risk tiering |
| Run a technical review on a package | IS technical review runbook |
| One-shot EXE / MSI / extension triage (scripts) | tools/REVIEW-PACKAGE.md and tools/README.md |
| Hashes, TLS, signatures, key handling (concepts) | Cryptography and integrity |
| Fill in records | templates/ (see templates/README.md) |
Suggested first read: Overview and scope, then Governance, then Intake and risk tiering. Everything else is reference you open when the request type needs it.
Foundation
- Overview and scope
- Governance: policy, standard, procedure
- Intake and risk tiering
- Cryptography and integrity
Technical review lanes
- IS technical review runbook
- Threat and detection review lane
- Browser extension review
- Driver and kernel-mode review
- Third-party furnished software
Governance and inventory
- TPRM and inventory gates
- Inventory reconciliation across endpoint and identity tools
- Existing-software review and baseline sweep
- AI and LLM considerations
- Metrics and risk register
Templates (narrative / catalog style)
Executable helpers live under tools/. They are reference scripts: read before you run, adapt to your environment, and follow DISCLAIMER.md.
- Index and runtime notes: tools/README.md
- EXE / MSI / extension bundle: tools/REVIEW-PACKAGE.md
Structured blanks for tickets and systems: templates/. Index: templates/README.md.
Citations are for your research, not a claim that this repo fully implements them:
- FFIEC IT Examination Handbook (AIO, Information Security, Outsourcing, Management booklets).
- Interagency Guidance on Third-Party Relationships: Risk Management (June 2023).
- GLBA Safeguards Rule, 16 CFR Part 314.
- California Civil Code 1798.81.5, CCPA/CPRA, CalFIPA.
- NIST Cybersecurity Framework 2.0, NIST SSDF SP 800-218, NIST C-SCRM SP 800-161r1, NIST AI RMF 100-1.
- CIS Controls v8.
- OWASP SCVS, OWASP ASVS, OWASP Top 10 for LLM Applications.
- OWASP Dependency-Track, OWASP CycloneDX.
- OpenSSF SLSA, OpenSSF Scorecard.
- CISA KEV, NIST NVD.
- NIST FIPS 180-4, NIST SP 800-131Ar2, NIST SP 800-52 Rev. 2, NIST SP 800-57 Part 1 Rev. 5, RFC 5280, RFC 8446.
- Microsoft driver blocklist (Learn), LOLDrivers.
Paid tools are mentioned only where relevant; the narrative often assumes zero new license spend.
For tags, a clean main history, and avoiding accidental secret commits, see PUBLISHING.md.
Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International (CC BY-NC-SA 4.0). See LICENSE. Tool scripts follow the same license unless a file says otherwise.
Pull requests are welcome for clarity, factual fixes, and tooling that others can audit without a commercial license. By contributing, you agree your contribution can be licensed under the same terms.