All dependencies (third-party software/libraries) must be explicitly declared (name and specific version) in a file inside the source code repository. Their source code must not be directly included in the repository.
The usage of third-party software and libraries is very common in modern applications, as it greatly reduces the effort required to develop them. Unfortunately, this software may introduce vulnerabilities into the application, which causes it to require frequent updates. In order to ease the constant update process, instead of directly including third-party software source code in application repositories, it should merely be referenced and managed using a package manager.
This requirement is verified in following services
- OWASP TOP 10-A8. Software and data integrity failures
- NIST Framework-ID_BE-4. Dependencies and critical functions for delivery of critical services are established
- Agile Alliance-1. Early and continuous delivery of valuable software
- Agile Alliance-9. Continuous attention to technical excellence and good design
- MISRA-C-3_6. All libraries used in production code shall be written
- MISRA-C-8_8. An external object or function shall be declared in one and only one file
- NYDFS-500_11. Third party service provider security policy
- MITRE ATT&CK®-M1044. Restrict library loading
- MITRE ATT&CK®-M1051. Update software
- PA-DSS-5_4_6. Process in place to review application updates
- HITRUST CSF-02_d. Management responsibilities
- HITRUST CSF-05_k. Addressing security in third party agreements
- HITRUST CSF-09_f. Monitoring and review of third-party services
- ISO/IEC 27002-8_28. Secure coding
- NIST SSDF-PS_1_1. Protect all forms of code from unauthorized access and tampering
- NIST SSDF-PW_4_1. Reuse existing, well-secured software when feasible instead of duplicating functionality
- NIST SSDF-PW_5_1. Archive and protect each software release
- MVSP-2_5. Application design controls - Security libraries
- OWASP ASVS-14_2_1. Dependency
- C2M2-9_4_d. Implement software security for cybersecurity architecture
- SIG Lite-SL_89. Is there a formal Software Development Life Cycle (SDLC) process?
- SIG Lite-SL_110. Are there any dependencies on critical third party service providers?
- SIG Core-I_2_1. Application security
- ISO/IEC 27001-8_28. Secure coding
- CASA-14_2_1. Dependency
- 079. Non-upgradable dependencies
- 120. Improper dependency pinning
- 138. Inappropriate coding practices
- 410. Dependency Confusion
- 432. Inappropriate coding practices - relative path command
Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.