Profile Applicability:
Level 1
Description:
An organization-wide policy governing the use of software dependencies must be established and enforced. This policy should define approved sources, license requirements, security standards, versioning guidelines, and procedures for introducing, updating, and removing dependencies to maintain software quality and security.
Rationale:
A unified dependency usage policy reduces risks associated with unvetted or insecure third-party libraries, ensures compliance with licensing obligations, and promotes consistency across projects. Enforcing this policy supports secure development practices and mitigates supply chain vulnerabilities.
Impact:
Pros:
Enhances software security and reliability.
Ensures legal and licensing compliance.
Promotes consistency and standardization.
Facilitates audit and risk management.
Cons:
Requires ongoing maintenance and enforcement.
May introduce delays if policy compliance processes are complex.
Default value:
Without an enforced policy, dependency usage may be inconsistent and prone to security and compliance issues.
Audit:
Review organizational policies and project configurations for compliance with dependency usage standards. Conduct periodic audits of dependency inventories and usage patterns.
Remediation:
Develop and communicate a comprehensive dependency usage policy. Integrate policy enforcement into CI/CD pipelines using automated tools. Train development teams on policy requirements and procedures.
References:
OWASP Software Component Verification Standard: https://owasp.org/www-project-software-component-verification-standard/
The Linux Foundation Open Source Security Foundation (OpenSSF): https://openssf.org/
CIS Controls v8, Control 4 - Secure Configuration of Enterprise Assets and Software: https://www.cisecurity.org/controls/secure-configuration-of-enterprise-assets-and-software/