All dependencies (third-party software/libraries) must be explicitly declared (name and specific version) in a file inside the source code repository. Their source code must not be directly included in the repository.
The usage of third-party software and libraries is very common in modern applications, as it greatly reduces the effort required to develop them. Unfortunately, this software may introduce vulnerabilities into the application, which causes it to require frequent updates. In order to ease the constant update process, instead of directly including third-party software source code in application repositories, it should merely be referenced and managed using a package manager.
This requirement is verified in following services:
- OWASP TOP 10-A8. Software and data integrity failures
- NIST Framework-ID_BE-4. Dependencies and critical functions for delivery of critical services are established
- Agile Alliance-1. Early and continuous delivery of valuable software
- Agile Alliance-9. Continuous attention to technical excellence and good design
- MISRA-C-3_6. All libraries used in production code shall be written
- MISRA-C-8_8. An external object or function shall be declared in one and only one file
- NYDFS-500_11. Third party service provider security policy
- MITRE ATT&CK®-M1044. Restrict library loading
- MITRE ATT&CK®-M1051. Update software
- PA-DSS-5_4_6. Process in place to review application updates
- HITRUST CSF-02_d. Management responsibilities
- HITRUST CSF-05_k. Addressing security in third party agreements
- HITRUST CSF-09_f. Monitoring and review of third-party services
- ISO/IEC 27002-8_28. Secure coding
- NIST SSDF-PS_1_1. Protect all forms of code from unauthorized access and tampering
- NIST SSDF-PW_4_1. Reuse existing, well-secured software when feasible instead of duplicating functionality
- NIST SSDF-PW_5_1. Archive and protect each software release
- MVSP-2_5. Application design - Security libraries
- OWASP ASVS-14_2_1. Dependency
- C2M2-9_4_d. Implement software security for cybersecurity architecture
- SIG Lite-SL_89. Is there a formal Software Development Life Cycle (SDLC) process?
- SIG Lite-SL_110. Are there any dependencies on critical third party service providers?
- SIG Core-I_2_1. Application security