Profile Applicability:
Level 2
Description:
All software packages or dependencies integrated into projects must be at least 60 days old from their initial release before they are allowed for use. This waiting period allows for initial vulnerabilities or critical bugs to be identified and resolved, reducing the risk of introducing unstable or insecure packages into the codebase.
Rationale:
Newly released packages may contain undiscovered vulnerabilities or issues that could compromise software security or stability. Enforcing a minimum age policy helps ensure that only vetted, stable packages are used, minimizing supply chain risks and improving overall software quality.
Impact:
Pros:
Reduces exposure to unpatched vulnerabilities.
Increases software stability and reliability.
Supports risk management in dependency selection.
Cons:
May delay adoption of new features or patches.
Could limit availability of the latest package versions.
Default value:
Many organizations allow immediate use of newly released packages without age restrictions.
Audit:
Review package version and release date metadata in project dependencies. Verify that no packages younger than 60 days are in use.
Remediation:
Implement policies enforcing package age minimums. Integrate automated dependency scanning tools to flag packages violating the policy. Educate development teams on dependency risk management.
References:
OWASP Dependency-Check: https://owasp.org/www-project-dependency-check/
The Update Framework (TUF): https://theupdateframework.io/
CIS Controls v8, Control 4 - Secure Configuration of Enterprise Assets and Software: https://www.cisecurity.org/controls/secure-configuration-of-enterprise-assets-and-software/