Declare dependencies explicitly
Summary
All dependencies (third-party software/libraries) must be explicitly declared (name and specific version) in a file inside the source code repository. Their source code must not be directly included in the repository.
Description
The usage of third-party software and libraries is very common in modern applications, as it greatly reduces the effort required to develop them. Unfortunately, this software may introduce vulnerabilities into the application, which causes it to require frequent updates. In order to ease the constant update process, instead of directly including third-party software source code in application repositories, it should merely be referenced and managed using a package manager.
Supported In
This requirement is verified in following services
| Plan | Supported |
|---|---|
| Essential | 🟢 |
| Advanced | 🟢 |
References
- OWASP TOP 10-A8. Software and data integrity failures
- Agile Alliance-1. Early and continuous delivery of valuable software
- Agile Alliance-9. Continuous attention to technical excellence and good design
- MISRA-C-3_6. All libraries used in production code shall be written
- MISRA-C-8_8. An external object or function shall be declared in one and only one file
- NYDFS-500_11. Third party service provider security policy
- MITRE ATT&CK®-M1044. Restrict library loading
- MITRE ATT&CK®-M1051. Update software
- PA-DSS-5_4_6. Process in place to review application updates
- HITRUST CSF-02_d. Management responsibilities
- HITRUST CSF-05_k. Addressing security in third party agreements
- HITRUST CSF-09_f. Monitoring and review of third-party services
- ISO/IEC 27002-8_28. Secure coding
- NIST SSDF-PS_1_1. Protect all forms of code from unauthorized access and tampering
- NIST SSDF-PW_4_1. Reuse existing, well-secured software when feasible instead of duplicating functionality
- NIST SSDF-PW_5_1. Archive and protect each software release
- MVSP-2_5. Application design controls - Security libraries
- OWASP ASVS-14_2_1. Dependency
- C2M2-9_4_d. Implement software security for cybersecurity architecture
- SIG Lite-SL_89. Is there a formal Software Development Life Cycle (SDLC) process?
- SIG Lite-SL_110. Are there any dependencies on critical third party service providers?
- SIG Core-I_2_1. Application security
- ISO/IEC 27001-8_28. Secure coding
- CASA-14_2_1. Dependency
Vulnerabilities
- 079.Non-upgradable dependencies
- 120.Improper dependency pinning
- 138.Inappropriate coding practices
- 410.Dependency Confusion
- 432.Inappropriate coding practices - relative path command
Free trial
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.