Verify third-party components
Summary
The system must use stable, tested and up-to-date versions of third-party components.
Description
- The organization must ensure that the version of all of its products and the products provided by third-parties is up to date, stable and tested. This reduces the risk of including vulnerabilities reported in previous versions.
- When a product changes its version, the implemented improvements must be checked to verify if there were fixes or new controls related to recently discovered vulnerabilities.
Supported In
This requirement is verified in following services
| Plan | Supported |
|---|---|
| Machine | 🟢 |
| Squad | 🟢 |
References
- BSIMM-SR2_4:_92. Identify open source
- CAPEC™-42. MIME conversion
- CAPEC™-240. Resource injection
- CAPEC™-242. Code injection
- CAPEC™-682. Exploitation of Firmware or ROM Code with Unpatchable Vulnerabilities
- CAPEC™-691. Spoof Open-Source Software Metadata
- CAPEC™-692. Spoof Version Control System Commit Metadata
- CAPEC™-693. StarJacking
- CAPEC™-695. Repo Jacking
- CAPEC™-698. Install Malicious Extension
- CAPEC™-701. Browser in the Middle (BiTM)
- CIS-2_1. Establish and maintain a software inventory
- CIS-7_4. Perform automated application patch management
- CIS-16_4. Establish and manage an inventory of third-Party software components
- CIS-16_5. Use up-to-date and trusted third-party software components
- CWE™-353. Missing support for integrity check
- CWE™-507. Trojan horse
- CWE™-1395. Dependency on Vulnerable Third-Party Component
- OWASP TOP 10-A6. Vulnerable and outdated components
- OWASP-M TOP 10-M8. Code tampering
- NIST Framework-ID_AM-5. Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders are established
- NIST Framework-DE_CM-6. External service provider activity is monitored to detect potential cybersecurity events
- NY SHIELD Act-5575_B_6. Personal and private information
- NYDFS-500_11. Third party service provider security policy
- PA-DSS-8_2. Use of necessary and secure services, including those provided by third parties
- POPIA-3A_21. Security measures regarding information processed by operator
- CMMC-AC_L1-3_1_20. External connections
- CMMC-CA_L2-3_12_2. Plan of action
- HITRUST CSF-01_j. User authentication for external connections
- HITRUST CSF-03_a. Risk management program development
- HITRUST CSF-05_i. Identification of risks related to external parties
- HITRUST CSF-09_e. Service delivery
- HITRUST CSF-10_l. Outsourced software development
- FedRAMP-CA-2_3. Security assessment - External organizations
- FedRAMP-PS-7. Third-party personnel security
- FedRAMP-SA-9. External information system services
- ISO/IEC 27002-5_22. Monitoring, review and change management of supplier services
- LGPD-8-6. Requirements for the Processing of Personal Data
- ISA/IEC 62443-CR-1_1-RE_2. Multifactor authentication for all interfaces
- OSSTMM3-10_2_1. Telecommunications security (logistics) - Framework
- OSSTMM3-10_3_1. Telecommunications security (active detection verification) - Monitoring
- OSSTMM3-10_5_2. Telecommunications security (access verification) - Services
- NIST SSDF-PO_1_3. Define security requirements for software development
- NIST SSDF-PW_4_1. Reuse existing, well-secured software when feasible instead of duplicating functionality
- NIST SSDF-PW_4_4. Reuse existing, well-secured software when feasible instead of duplicating functionality
- PTES-4_3_4. Business process analysis - Third party integration
- PTES-5_2_3_3. Vulnerability analysis - Web application scanners (web server version)
- OWASP SCP-10. System configuration
- OWASP SCP-14. General coding practices
- BSAFSS-SM_2-1. Measures to ensure visibility, traceability, and security of third-party components
- BSAFSS-VN_1-2. Vulnerability notification and patching
- BSAFSS-VN_3-1. Vulnerability notification and patching (updates are accompanied by advisory messages)
- OWASP MASVS-V7_5. Code quality and build setting requirements
- SWIFT CSCF-2_2. Security updates
- SWIFT CSCF-6_2. Software integrity
- OWASP SAMM-TA_3. Concretely tie compensating controls to each threat against internal and third-party software
- OWASP ASVS-10_2_4. Malicious code search
- OWASP ASVS-10_2_5. Malicious code search
- OWASP ASVS-10_3_2. Application integrity
- C2M2-3_2_k. Identify cyber risk
- C2M2-7_1_c. Identify and prioritize third parties
- C2M2-7_2_a. Manage third-party risk
- C2M2-7_2_b. Manage third-party risk
- SIG Lite-SL_154. Do agreements with third parties who have access or potential access to scoped data, address confidentiality, audit, security, and privacy, including but not limited to incident response, monitoring, data sharing and secure disposal of scoped data?
- OWASP ASVS-1_14_6. Configuration architecture
- OWASP ASVS-14_2_5. Dependency
- OWASP API Security Top 10-API9. Improper Assets Management
- ISO/IEC 27001-5_22. Monitoring, review and change management of supplier services
- CASA-1_14_6. Configuration Architecture
- CASA-10_2_4. Malicious Code Search
- CASA-10_2_5. Malicious Code Search
- CASA-10_3_2. Application Integrity
Vulnerabilities
- 011. Use of software with known vulnerabilities
- 086. Missing subresource integrity check
- 393. Use of software with known vulnerabilities in development
- 410. Dependency Confusion
- 435. Use of software with known vulnerabilities in environments
free trial
Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.