Secure-by-design and secure-by-default principles, use of memory-safe programming languages where possible, and secure programming practices are used as part of application development.
Verify compliance of third-party software components with organizational security requirements throughout their lifecycle. Regularly monitor for known vulnerabilities, use automated detection tools, plan for end-of-life scenarios, and conduct integrity checks. This practice minimizes risks associated with third-party software and ensures ongoing compliance with secure-by-design principles.
Evaluate and maintain an approved list of application dependencies to ensure compliance with organizational security requirements. Establish a central repository for approved dependencies to standardize and secure software builds across teams and projects. Regularly review dependencies to confirm that they are correctly licensed, no significant vulnerabilities impacting the application are present, dependencies are actively supported and maintained by their creators. . The latest or a secure, stable version is being used, and each dependency is included based on a valid business or technical need. Utilize automated tools to scan for vulnerabilities in dependencies, assign identified issues to the appropriate development teams, and track remediation efforts. Address non-conformities promptly by treating them as defects. Additionally, incorporate plans for end-of-life scenarios to manage and replace deprecated dependencies proactively. These measures help maintain robust security throughout the dependency lifecycle and align with secure-by-design principles.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-01-10-01-01 | Define evaluation criteria for dependencies | Establish clear criteria for evaluating dependencies, including licensing, vulnerability status, support, versioning, and business justification for inclusion. | Preparation | Security team, Development leads, Legal team |
| SSS-02-01-10-01-02 | Create and maintain a central repository | Set up a central repository (e.g., Nexus, Artifactory) containing approved and pre-validated dependencies, ensuring all projects pull from this controlled source. | Development | DevOps team, Security team |
| SSS-02-01-10-01-03 | Automate dependency scanning and monitoring | Integrate tools like Snyk, Dependabot, or OWASP Dependency-Check into the CI/CD pipeline to detect vulnerable, outdated, or non-conforming dependencies. | Development | DevOps team, Security team |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-0401) NIST Secure Software Development Framework (PW.4.4) OWASP SAMM: Software Assurance Maturity Model (I-SB-2-B) |
Conduct proactive security analysis of open-source software (OSS) to identify potential zero-day vulnerabilities, backdoors, and other security risks. Utilize advanced automated tools and manual inspection to thoroughly examine OSS dependencies used in your environment. For any vulnerabilities or risks discovered, responsibly disclose them to the upstream OSS project or maintainers to support timely remediation. Establish clear guidelines and processes for disclosure, ensuring alignment with responsible disclosure practices and fostering collaboration with the OSS community. By identifying and addressing vulnerabilities proactively, the organization strengthens its security posture while contributing to the wider ecosystem's security improvements.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-01-10-02-01 | Conduct proactive security scanning | Use tools like Semgrep, Trivy, or Clair to perform deep scans of OSS libraries for hidden vulnerabilities or malicious code. | Development | Security team, DevOps team |
| SSS-02-01-10-02-01 | Perform manual code review for critical oss | Assign security analysts to review OSS code critical to the application (e.g., cryptography libraries or authentication modules). | Development | Security team, Development leads |
| SSS-02-01-10-02-01 | Develop responsible disclosure processes | Use platforms like HackerOne or email directly to OSS project maintainers to report vulnerabilities securely. | Deployment | Security team, OSS contributors |
| SSS-02-01-10-02-01 | Track and monitor oss vulnerabilities | Use defect tracking tools like JIRA to log vulnerabilities and track their status until resolved or mitigated. | Post-deployment | Security team, Development leads |
| SSS-02-01-10-02-01 | Implement temporary mitigations for identified vulnerabilities | Apply a local patch or restrict functionality if a zero-day vulnerability is found in a dependency critical to the application. | Post-deployment | Development teams, Security team |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-0401) NIST Secure Software Development Framework (PW.4.4) S2C2F: Secure Supply Chain Consumption Framework (SCA-5) |