Verify Subresource Integrity
Summary
The application must verify the integrity of all externally hosted resources and dependencies using Subresource Integrity (SRI).
Description
Applications often use resources or have dependencies that are hosted on external servers such as a content delivery network (CDN). Applications must validate the integrity of such assets using Subresource Integrity (SRI), in case those systems are compromised.
Supported In
This requirement is verified in following services
| Plan | Supported |
|---|---|
| Machine | 🟢 |
| Squad | 🟢 |
References
- CAPEC™-148. Content spoofing
- CAPEC™-154. Resource location spoofing
- CAPEC™-165. File manipulation
- CWE™-353. Missing support for integrity check
- CWE™-494. Download of code without integrity check
- OWASP-M TOP 10-M1. Improper platform usage
- NIST Framework-ID_AM-4. External information systems are catalogued
- NY SHIELD Act-5575_B_6. Personal and private information
- MITRE ATT&CK®-M1035. Limit access to resource over network
- PA-DSS-5_1_5. Secure practices are implemented to verify integrity of source code during the development process
- CMMC-AC_L1-3_1_20. External connections
- HITRUST CSF-01_j. User authentication for external connections
- HITRUST CSF-10_c. Control of internal processing
- OSSTMM3-10_7_4. Telecommunications security (controls verification) - Integrity
- NIST SSDF-PO_1_3. Define security requirements for software development
- NIST SSDF-PS_2_1. Provide a mechanism for verifying software release integrity
- OWASP SCP-14. General coding practices
- SWIFT CSCF-6_2. Software integrity
- SWIFT CSCF-6_3. Database integrity
- OWASP ASVS-10_3_2. Application integrity
- C2M2-9_4_b. Implement software security for cybersecurity architecture
- C2M2-9_4_g. Implement software security for cybersecurity architecture
- PCI DSS-2_2_5. System components are configured and managed securely
- PCI DSS-6_4_3. Public-facing web applications are protected against attacks
- SIG Lite-SL_46. Are background checks performed for Service Provider Contractors and Subcontractors?
- SIG Lite-SL_110. Are there any dependencies on critical third party service providers?
- OWASP ASVS-14_2_3. Dependency
- CASA-1_14_2. Configuration Architecture
- CASA-1_14_3. Configuration Architecture
- CASA-1_14_4. Configuration Architecture
- CASA-10_3_2. Application Integrity
Vulnerabilities
Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.