Skip to main content

Verify third-party components


The system must use stable, tested and up-to-date versions of third-party components.


  1. The organization must ensure that the version of all of its products and the products provided by third-parties is up to date, stable and tested. This reduces the risk of including vulnerabilities reported in previous versions.

  2. When a product changes its version, the implemented improvements must be checked to verify if there were fixes or new controls related to recently discovered vulnerabilities.


  1. Identify all the products that compose the technology stack, including operating systems, versions, dependencies, and logical and physical authentication features. This inventory must be constantly updated.

  2. Monitor the security of all identified components in public databases, implementing alerts when public vulnerabilities are disclosed for the products used by the organization and determining the affectation level caused by the reported vulnerabilities.

  3. Apply the necessary updates taking into account the vulnerability type, the affected components and its risk classification within the organization.

  4. Define security policies for the used components, requiring updated versions, specific software, ethical hacking and product licenses. Include internal policies to disable unused features and update default settings that may pose a risk to the organization.


  • An attacker obtains technical information about a specific product. If the service/software is out of date, there could be public exploits designed to attack known vulnerabilities present in the in-use version of the product.


  • Layer: Application layer
  • Asset: Services and functions
  • Scope: Stability
  • Phase: Operation
  • Type of control: Recommendation