262 – Verify third-party components

Summary

The system must use stable, tested and up-to-date versions of third-party components.

Description

- The organization must ensure that the version of all of its products and the products provided by third-parties is up to date, stable and tested. This reduces the risk of including vulnerabilities reported in previous versions. - When a product changes its version, the implemented improvements must be checked to verify if there were fixes or new controls related to recently discovered vulnerabilities.

Supported In

Essential: True

Advanced: True

References

• BSIMM-SR1_5:_101. Identify open source
• CAPEC-42. MIME conversion
• CAPEC-240. Resource injection
• CAPEC-242. Code injection
• CAPEC-682. Exploitation of Firmware or ROM Code with Unpatchable Vulnerabilities
• CAPEC-691. Spoof Open-Source Software Metadata
• CAPEC-692. Spoof Version Control System Commit Metadata
• CAPEC-693. StarJacking
• CAPEC-695. Repo Jacking
• CAPEC-698. Install Malicious Extension
• CAPEC-701. Browser in the Middle (BiTM)
• CIS-2_1. Establish and maintain a software inventory
• CIS-7_4. Perform automated application patch management
• CIS-16_4. Establish and manage an inventory of third-Party software components
• CIS-16_5. Use up-to-date and trusted third-party software components
• CWE-353. Missing support for integrity check
• CWE-507. Trojan horse
• CWE-1395. Dependency on Vulnerable Third-Party Component
• OWASP10-A6. Vulnerable and outdated components
• OWASPM10-M8. Code tampering
• NYSHIELD-5575_B_6. Personal and private information
• NYDFS-500_11. Third party service provider security policy
• PADSS-8_2. Use of necessary and secure services, including those provided by third parties
• POPIA-3A_21. Security measures regarding information processed by operator
• CMMC-AC_L1-3_1_20. External connections
• CMMC-CA_L2-3_12_2. Plan of action
• HITRUST-01_j. User authentication for external connections
• HITRUST-03_a. Risk management program development
• HITRUST-05_i. Identification of risks related to external parties
• HITRUST-09_e. Service delivery
• HITRUST-10_l. Outsourced software development
• FEDRAMP-CA-2_3. Security assessment - External organizations
• FEDRAMP-PS-7. Third-party personnel security
• FEDRAMP-SA-9. External information system services
• ISO27002-5_22. Monitoring, review and change management of supplier services
• LGPD-8-6. Requirements for the Processing of Personal Data
• IEC62443-CR-1_1-RE_2. Multifactor authentication for all interfaces
• OSSTMM3-10_2_1. Telecommunications security (logistics) - Framework
• OSSTMM3-10_3_1. Telecommunications security (active detection verification) - Monitoring
• OSSTMM3-10_5_2. Telecommunications security (access verification) - Services
• NISTSSDF-PO_1_3. Define security requirements for software development
• NISTSSDF-PW_4_1. Reuse existing, well-secured software when feasible instead of duplicating functionality
• NISTSSDF-PW_4_4. Reuse existing, well-secured software when feasible instead of duplicating functionality
• PTES-4_3_4. Business process analysis - Third party integration
• PTES-5_2_3_3. Vulnerability analysis - Web application scanners (web server version)
• OWASPSCP-10. System configuration
• OWASPSCP-14. General coding practices
• BSAFSS-SM_2-1. Measures to ensure visibility, traceability, and security of third-party components
• BSAFSS-VN_1-2. Vulnerability notification and patching
• BSAFSS-VN_3-1. Vulnerability notification and patching (updates are accompanied by advisory messages)
• SWIFTCSC-2_2. Security updates
• SWIFTCSC-6_2. Software integrity
• OSAMM-SA. Security Architecture
• ASVS-10_2_4. Malicious code search
• ASVS-10_2_5. Malicious code search
• ASVS-10_3_2. Application integrity
• C2M2-3_2_k. Identify cyber risk
• C2M2-7_1_c. Identify and prioritize third parties
• C2M2-7_2_a. Manage third-party risk
• C2M2-7_2_b. Manage third-party risk
• SIGLITE-SL_154. Do agreements with third parties who have access or potential access to scoped data, address confidentiality, audit, security, and privacy, including but not limited to incident response, monitoring, data sharing and secure disposal of scoped data?
• ASVS-1_14_6. Configuration architecture
• ASVS-14_2_5. Dependency
• OWASPAPI-API9. Improper Inventory Management
• OWASPAPI-API10. Unsafe Consumption of APIs
• ISO27001-5_22. Monitoring, review and change management of supplier services
• CASA-1_14_6. Configuration Architecture
• CASA-10_2_4. Malicious Code Search
• CASA-10_2_5. Malicious Code Search
• CASA-10_3_2. Application Integrity
• OWASPMASVS-CODE-1. The app requires an up-to-date platform version
• OWASPMASVS-CODE-2. The app has a mechanism for enforcing app updates
• OWASPMASVS-CODE-3. The app only uses software components without known vulnerabilities
• OWASPMASVS-RESILIENCE-1. Cryptography requirementsThe app validates the integrity of the platform
• OWASPMASVS-RESILIENCE-2. The app implements anti-tampering mechanisms
• NIST-PR_PS-02. Software is maintained, replaced, and removed commensurate with risk
• NIST-DE_CM-06. External service provider activities and services are monitored to find potentially adverse events
• OWASPLLM-LLM03:2025. Supply Chain
• OWASPLLM-LLM04:2025. Data and Model Poisoning
• OWASPLLM-LLM08:2025. Vector and Embedding Weaknesses

Weaknesses

• 393 – Use of software with known vulnerabilities in development
• 410 – Dependency Confusion
• 435 – Use of software with known vulnerabilities in environments
• 448 – Use of software with malware
• 453 – Data and model poisoning
• 011 – Use of software with known vulnerabilities
• 086 – Missing subresource integrity check

Last updated

2025/06/17