Profile Applicability:
Level 1

Description:
All software packages integrated into the codebase or deployed through package registries must be automatically scanned for known security vulnerabilities using up-to-date vulnerability databases. This scanning process identifies insecure packages early, preventing the inclusion of components with exploitable flaws.

Rationale:
Automated vulnerability scanning helps detect and mitigate security risks arising from third-party dependencies. It enhances the security posture by ensuring only safe and patched packages are used, reducing the likelihood of supply chain attacks or exploitation.

Impact:
Pros:

  • Improves overall software security and reliability.

  • Enables proactive identification and remediation of vulnerable packages.

  • Supports compliance with security standards and policies.

  • Integrates seamlessly with CI/CD workflows.

Cons:

  • May produce false positives requiring manual review.

  • Requires continuous updating of vulnerability databases and scanning tools.

Default value:
Without automation, vulnerability scanning may be irregular or manual, increasing risk exposure.

Audit:
Review vulnerability scan reports and logs for package dependencies. Verify scanning frequency and tool effectiveness.

Remediation:
Integrate automated vulnerability scanning tools (e.g., Snyk, Dependabot, WhiteSource) into development and build pipelines. Establish policies for timely patching or replacement of vulnerable packages. Train developers on vulnerability management practices.

References:

  1. OWASP Dependency-Check: https://owasp.org/www-project-dependency-check/

  2. Snyk Vulnerability Scanning: https://snyk.io/

  3. CIS Controls v8, Control 4 - Secure Configuration of Enterprise Assets and Software: https://www.cisecurity.org/controls/secure-configuration-of-enterprise-assets-and-software/