330 – Verify Subresource Integrity

Summary

The application must verify the integrity of all externally hosted resources and dependencies using Subresource Integrity (SRI).

Description

Applications often use resources or have dependencies that are hosted on external servers such as a content delivery network (CDN). Applications must validate the integrity of such assets using Subresource Integrity (SRI), in case those systems are compromised.

Supported In

Essential: True

Advanced: True

References

• CAPEC-148. Content spoofing
• CAPEC-154. Resource location spoofing
• CAPEC-165. File manipulation
• CWE-353. Missing support for integrity check
• CWE-494. Download of code without integrity check
• OWASPM10-M1. Improper platform usage
• NYSHIELD-5575_B_6. Personal and private information
• MITRE-M1035. Limit access to resource over network
• PADSS-5_1_5. Secure practices are implemented to verify integrity of source code during the development process
• CMMC-AC_L1-3_1_20. External connections
• HITRUST-01_j. User authentication for external connections
• HITRUST-10_c. Control of internal processing
• OSSTMM3-10_7_4. Telecommunications security (controls verification) - Integrity
• NISTSSDF-PO_1_3. Define security requirements for software development
• NISTSSDF-PS_2_1. Provide a mechanism for verifying software release integrity
• OWASPSCP-14. General coding practices
• SWIFTCSC-6_2. Software integrity
• SWIFTCSC-6_3. Database integrity
• ASVS-10_3_2. Application integrity
• C2M2-9_4_b. Implement software security for cybersecurity architecture
• C2M2-9_4_g. Implement software security for cybersecurity architecture
• PCI-2_2_5. System components are configured and managed securely
• PCI-6_4_3. Public-facing web applications are protected against attacks
• SIGLITE-SL_46. Are background checks performed for Service Provider Contractors and Subcontractors?
• SIGLITE-SL_110. Are there any dependencies on critical third party service providers?
• ASVS-14_2_3. Dependency
• CASA-1_14_2. Configuration Architecture
• CASA-1_14_3. Configuration Architecture
• CASA-1_14_4. Configuration Architecture
• CASA-10_3_2. Application Integrity
• NIST-ID_AM-04. Inventories of services provided by suppliers are maintained

Weaknesses

• 448 – Use of software with malware
• 086 – Missing subresource integrity check

Last updated

2024/03/05