Profile Applicability:
Level 1
Description:
Implement automated processes to regularly scan and detect changes in the ownership or maintainership of packages within the package registry. This helps identify unauthorized or unexpected ownership transfers that could pose supply chain risks or introduce malicious packages.
Rationale:
Monitoring ownership changes prevents attackers from gaining control over packages used in software development, mitigating supply chain compromise risks. Early detection enables timely response and helps maintain the integrity and trustworthiness of software dependencies.
Impact:
Pros:
Enhances supply chain security by tracking package maintainership.
Enables proactive response to suspicious ownership changes.
Supports audit and compliance requirements.
Reduces risk of malicious package publication.
Cons:
Requires integration of monitoring tools and alerting systems.
May generate false positives requiring investigation.
Default value:
Ownership changes may not be tracked or monitored automatically, increasing risk exposure.
Audit:
Review logs and alerts related to package ownership changes. Verify the existence and effectiveness of automated scanning tools.
Remediation:
Deploy automated monitoring solutions that track package ownership metadata. Establish alerting and response procedures for detected changes. Train security and development teams on supply chain risk management.
References:
npm Security Best Practices: https://docs.npmjs.com/security
PyPI Security Features: https://packaging.python.org/en/latest/guides/security/
CIS Controls v8, Control 4 - Secure Configuration of Enterprise Assets and Software: https://www.cisecurity.org/controls/secure-configuration-of-enterprise-assets-and-software/