302 – Declare dependencies explicitly

Summary

All dependencies (third-party software/libraries) must be explicitly declared (name and specific version) in a file inside the source code repository. Their source code must not be directly included in the repository.

Description

The usage of third-party software and libraries is very common in modern applications, as it greatly reduces the effort required to develop them. Unfortunately, this software may introduce vulnerabilities into the application, which causes it to require frequent updates. In order to ease the constant update process, instead of directly including third-party software source code in application repositories, it should merely be referenced and managed using a package manager.

Supported In

Essential: True

Advanced: True

References

• OWASP10-A8. Software and data integrity failures
• AGILE-1. Early and continuous delivery of valuable software
• AGILE-9. Continuous attention to technical excellence and good design
• MISRAC-3_6. All libraries used in production code shall be written
• MISRAC-8_8. An external object or function shall be declared in one and only one file
• NYDFS-500_11. Third party service provider security policy
• MITRE-M1044. Restrict library loading
• MITRE-M1051. Update software
• PADSS-5_4_6. Process in place to review application updates
• HITRUST-02_d. Management responsibilities
• HITRUST-05_k. Addressing security in third party agreements
• HITRUST-09_f. Monitoring and review of third-party services
• ISO27002-8_28. Secure coding
• NISTSSDF-PS_1_1. Protect all forms of code from unauthorized access and tampering
• NISTSSDF-PW_4_1. Reuse existing, well-secured software when feasible instead of duplicating functionality
• NISTSSDF-PW_5_1. Archive and protect each software release
• MVSP-2_5. Application design controls - Security libraries
• ASVS-14_2_1. Dependency
• C2M2-9_4_d. Implement software security for cybersecurity architecture
• SIGLITE-SL_89. Is there a formal Software Development Life Cycle (SDLC) process?
• SIGLITE-SL_110. Are there any dependencies on critical third party service providers?
• SIG-I_2_1. Application security
• ISO27001-8_28. Secure coding
• CASA-14_2_1. Dependency

Weaknesses

• 120 – Improper dependency pinning
• 138 – Inappropriate coding practices
• 410 – Dependency Confusion
• 432 – Inappropriate coding practices - relative path command
• 079 – Non-upgradable dependencies

Last updated

2023/09/18