The OWASP Top 10 Proactive Controls are used in the development of web applications.
Ensure all libraries and frameworks used in development are secure and well-maintained to minimize security risks. For example, prioritize built-in security features of existing frameworks rather than introducing additional third-party libraries that require extra maintenance; Use only trusted and actively maintained libraries, verifying their sources and security track records before integration; Implement automated dependency monitoring and updates to patch vulnerabilities promptly, reducing exposure to supply chain attacks; Regularly audit and assess third-party components to ensure ongoing security compliance and resilience against evolving threats.
1. Best Practices to Identify Trusted Libraries -Use official sources (e.g., npm, PyPI, Maven) and prefer digitally signed packages. -Check for active maintenance, frequent updates, and a strong security track record. -Verify security advisories and CVEs via sources like OWASP Dependency Check or CycloneDX. 2. Best Practices to Keep Libraries Secure -Regularly update dependencies and remove unused or deprecated ones. -Use software composition analysis (SCA) tools to detect vulnerabilities. -Lock dependency versions using package managers to prevent unintended updates. -Prefer least privilege access when integrating libraries to limit security risks. By identifying trusted libraries and maintaining them securely, organizations can minimize risks from supply chain attacks and outdated dependencies.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-12-06-01-01 | Identify trusted libraries and frameworks | Use official sources (e.g., npm, PyPI, Maven) to select trusted libraries and prefer digitally signed packages. Ensure that the library or framework has a strong security track record, is actively maintained, and receives frequent updates. | Development | Security Teams, Software Developers |
| SSS-02-12-06-01-02 | Check for active maintenance and security advisories | Regularly check security advisories and CVEs (Common Vulnerabilities and Exposures) via sources like OWASP Dependency Check or CycloneDX. Only use libraries with an active and reliable security patch history. | Development | Security Engineers, Software Developers |
| SSS-02-12-06-01-03 | Regularly update dependencies | Keep dependencies up to date by regularly updating third-party libraries and removing any unused or deprecated ones. This reduces the risk of vulnerabilities due to outdated components. | Post-deployment | DevOps Teams, Security Engineers |
| SSS-02-12-06-01-04 | Use software composition analysis (sca) tools | Implement Software Composition Analysis (SCA) tools to automatically detect vulnerabilities within third-party libraries and dependencies. These tools help ensure that the libraries used are secure and up to date. | Development | Security Teams, QA Teams |
| SSS-02-12-06-01-05 | Limit access and use least privilege | When integrating third-party libraries, grant them only the minimum level of access necessary for their functionality. This limits potential security risks and prevents unnecessary exposure. | Development | Security Engineers, Software Developers |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-1849) OWASP Proactive Controls OWASP Proactive Controls |