Declare dependencies explicitly
Summary
All dependencies (third-party software/libraries) must be explicitly declared (name and specific version) in a file inside the source code repository. Their source code must not be directly included in the repository.
Description
The usage of third-party software and libraries is very common in modern applications, as it greatly reduces the effort required to develop them. Unfortunately, this software may introduce vulnerabilities into the application, which causes it to require frequent updates. In order to ease the constant update process, instead of directly including third-party software source code in application repositories, it should merely be referenced and managed using a package manager.
References
- OWASP10-A8. Software and data integrity failures
- AGILE-1. Early and continuous delivery of valuable software
- AGILE-9. Continuous attention to technical excellence and good design
- MISRAC-3_6. All libraries used in production code shall be written
- MISRAC-8_8. An external object or function shall be declared in one and only one file
- NYDFS-500_11. Third party service provider security policy
- MITRE-M1044. Restrict library loading
- MITRE-M1051. Update software
- PADSS-5_4_6. Process in place to review application updates
- HITRUST-02_d. Management responsibilities
- HITRUST-05_k. Addressing security in third party agreements
- HITRUST-09_f. Monitoring and review of third-party services
- ISO27002-8_28. Secure coding
- NISTSSDF-PS_1_1. Protect all forms of code from unauthorized access and tampering
- NISTSSDF-PW_4_1. Reuse existing, well-secured software when feasible instead of duplicating functionality
- NISTSSDF-PW_5_1. Archive and protect each software release
- MVSP-2_5. Application design controls - Security libraries
- ASVS-14_2_1. Dependency
- C2M2-9_4_d. Implement software security for cybersecurity architecture
- SIGLITE-SL_89. Is there a formal Software Development Life Cycle (SDLC) process?
- SIGLITE-SL_110. Are there any dependencies on critical third party service providers?
- SIG-I_2_1. Application security
- ISO27001-8_28. Secure coding
- CASA-14_2_1. Dependency
Weaknesses
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan.If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.
Supported In
This requirement is verified in following services
Essential Plan
Advanced Plan