Verify third-party components
Summary
The system must use stable, tested and up-to-date versions of third-party components.
Description
- The organization must ensure that the version of all of its products and the products provided by third-parties is up to date, stable and tested. This reduces the risk of including vulnerabilities reported in previous versions.
- When a product changes its version, the implemented improvements must be checked to verify if there were fixes or new controls related to recently discovered vulnerabilities.
Supported In
This requirement is verified in following services
| Plan | Supported |
|---|---|
| Essential | 🟢 |
| Advanced | 🟢 |
References
- BSIMM-SR1_5:_101. Identify open source
- CAPEC™-42. MIME conversion
- CAPEC™-240. Resource injection
- CAPEC™-242. Code injection
- CAPEC™-682. Exploitation of Firmware or ROM Code with Unpatchable Vulnerabilities
- CAPEC™-691. Spoof Open-Source Software Metadata
- CAPEC™-692. Spoof Version Control System Commit Metadata
- CAPEC™-693. StarJacking
- CAPEC™-695. Repo Jacking
- CAPEC™-698. Install Malicious Extension
- CAPEC™-701. Browser in the Middle (BiTM)
- CIS-2_1. Establish and maintain a software inventory
- CIS-7_4. Perform automated application patch management
- CIS-16_4. Establish and manage an inventory of third-Party software components
- CIS-16_5. Use up-to-date and trusted third-party software components
- CWE™-353. Missing support for integrity check
- CWE™-507. Trojan horse
- CWE™-1395. Dependency on Vulnerable Third-Party Component
- OWASP TOP 10-A6. Vulnerable and outdated components
- OWASP-M TOP 10-M8. Code tampering
- NY SHIELD Act-5575_B_6. Personal and private information
- NYDFS-500_11. Third party service provider security policy
- PA-DSS-8_2. Use of necessary and secure services, including those provided by third parties
- POPIA-3A_21. Security measures regarding information processed by operator
- CMMC-AC_L1-3_1_20. External connections
- CMMC-CA_L2-3_12_2. Plan of action
- HITRUST CSF-01_j. User authentication for external connections
- HITRUST CSF-03_a. Risk management program development
- HITRUST CSF-05_i. Identification of risks related to external parties
- HITRUST CSF-09_e. Service delivery
- HITRUST CSF-10_l. Outsourced software development
- FedRAMP-CA-2_3. Security assessment - External organizations
- FedRAMP-PS-7. Third-party personnel security
- FedRAMP-SA-9. External information system services
- ISO/IEC 27002-5_22. Monitoring, review and change management of supplier services
- LGPD-8-6. Requirements for the Processing of Personal Data
- ISA/IEC 62443-CR-1_1-RE_2. Multifactor authentication for all interfaces
- OSSTMM3-10_2_1. Telecommunications security (logistics) - Framework
- OSSTMM3-10_3_1. Telecommunications security (active detection verification) - Monitoring
- OSSTMM3-10_5_2. Telecommunications security (access verification) - Services
- NIST SSDF-PO_1_3. Define security requirements for software development
- NIST SSDF-PW_4_1. Reuse existing, well-secured software when feasible instead of duplicating functionality
- NIST SSDF-PW_4_4. Reuse existing, well-secured software when feasible instead of duplicating functionality
- PTES-4_3_4. Business process analysis - Third party integration
- PTES-5_2_3_3. Vulnerability analysis - Web application scanners (web server version)
- OWASP SCP-10. System configuration
- OWASP SCP-14. General coding practices
- BSAFSS-SM_2-1. Measures to ensure visibility, traceability, and security of third-party components
- BSAFSS-VN_1-2. Vulnerability notification and patching
- BSAFSS-VN_3-1. Vulnerability notification and patching (updates are accompanied by advisory messages)
- SWIFT CSCF-2_2. Security updates
- SWIFT CSCF-6_2. Software integrity
- OWASP SAMM-SA. Security Architecture
- OWASP ASVS-10_2_4. Malicious code search
- OWASP ASVS-10_2_5. Malicious code search
- OWASP ASVS-10_3_2. Application integrity
- C2M2-3_2_k. Identify cyber risk
- C2M2-7_1_c. Identify and prioritize third parties
- C2M2-7_2_a. Manage third-party risk
- C2M2-7_2_b. Manage third-party risk
- SIG Lite-SL_154. Do agreements with third parties who have access or potential access to scoped data, address confidentiality, audit, security, and privacy, including but not limited to incident response, monitoring, data sharing and secure disposal of scoped data?
- OWASP ASVS-1_14_6. Configuration architecture
- OWASP ASVS-14_2_5. Dependency
- OWASP API Security Top 10-API9. Improper Inventory Management
- OWASP API Security Top 10-API10. Unsafe Consumption of APIs
- ISO/IEC 27001-5_22. Monitoring, review and change management of supplier services
- CASA-1_14_6. Configuration Architecture
- CASA-10_2_4. Malicious Code Search
- CASA-10_2_5. Malicious Code Search
- CASA-10_3_2. Application Integrity
- OWASP MASVS-CODE-1. The app requires an up-to-date platform version
- OWASP MASVS-CODE-2. The app has a mechanism for enforcing app updates
- OWASP MASVS-CODE-3. The app only uses software components without known vulnerabilities
- OWASP MASVS-RESILIENCE-1. Cryptography requirementsThe app validates the integrity of the platform
- OWASP MASVS-RESILIENCE-2. The app implements anti-tampering mechanisms
- NIST CSF-PR_PS-02. Software is maintained, replaced, and removed commensurate with risk
- NIST CSF-DE_CM-06. External service provider activities and services are monitored to find potentially adverse events
Vulnerabilities
- 011. Use of software with known vulnerabilities
- 086. Missing subresource integrity check
- 393. Use of software with known vulnerabilities in development
- 410. Dependency Confusion
- 435. Use of software with known vulnerabilities in environments
free trial
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.