Secure-by-design and secure-by-default principles, use of memory-safe programming languages where possible, and secure programming practices are used as part of application development.
Acquire and manage secure third-party software components, including libraries and frameworks, by reviewing and evaluating them based on intended use, verifying secure configurations, maintaining an approved list, and implementing update processes. This ensures that all components meet security standards and align with the organization's secure development goals.
Maintain a whitelist of approved dependencies and versions to enforce rigorous control over third-party software components. Configure the build process to automatically fail if unapproved dependencies are detected, with a defined sign-off procedure for handling justified exceptions. Perform security verification activities for approved dependencies, using methodologies such as Static Application Security Testing (SAST) and analyzing transitive dependencies to ensure alignment with the organization’s security standards. Extend these checks to detect potential vulnerabilities such as backdoors, malicious code, or ‘easter eggs’ in the dependencies. Collaborate with dependency authors by establishing vulnerability disclosure protocols, including Service Level Agreements (SLAs) for addressing identified issues. Where SLAs are not feasible, such as in open-source environments, anticipate probable vulnerabilities and implement compensating controls promptly to mitigate associated risks. Conduct regression testing to validate fixes for identified issues and track their resolution status within a defect tracking system. Integrate this tracking system with the build pipeline to automatically halt builds if dependencies with unresolved issues surpass a defined criticality threshold. This comprehensive approach ensures that all dependencies meet the organization’s security objectives and mitigate risks associated with third-party components effectively.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-01-08-01-01 | Maintain and enforce a whitelist of dependencies | Create and regularly update a whitelist of approved dependencies and their versions. Ensure the build process fails when unapproved dependencies are detected. | Development | DevOps team, Security team |
| SSS-02-01-08-01-02 | Perform security verification on dependencies | Conduct security testing (e.g., SAST, transitive dependency analysis) on approved dependencies to identify vulnerabilities, backdoors, or easter eggs. | Development | Security team, Development teams |
| SSS-02-01-08-01-03 | Establish vulnerability disclosure processes | Work with dependency authors to set up SLAs for fixing vulnerabilities. If SLAs cannot be enforced (e.g., open-source), prepare compensating controls to mitigate risks. | Deployment | Security team, Procurement team |
| SSS-02-01-08-01-04 | Implement build pipeline integration for dependency checks | Integrate dependency vulnerability scanning tools into the CI/CD pipeline. Automatically fail builds if vulnerabilities above a criticality threshold are detected. | Deployment | DevOps team, Security team |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-0401) NIST Secure Software Development Framework (PW.4.1) OWASP SAMM: Software Assurance Maturity Model (I-SB-3-B) |