Profile Applicability:
Level 1

Description:
Organizations must establish and maintain a list of trusted package managers and repositories that are authorized for use in software development. This policy prioritizes approved sources to minimize risks from unverified or malicious packages, ensuring dependencies are obtained from reliable and secure locations.

Rationale:
Using trusted package sources reduces the risk of introducing malicious or vulnerable components via unvetted repositories. Prioritizing these sources strengthens supply chain security, maintains software integrity, and supports compliance with organizational and regulatory requirements.

Impact:
Pros:

  • Enhances software supply chain security.

  • Prevents use of untrusted or compromised packages.

  • Supports regulatory and internal compliance.

  • Simplifies dependency management and auditing.

Cons:

  • May limit flexibility in sourcing packages.

  • Requires ongoing maintenance of trusted source lists.

Default value:
By default, developers may use any available package managers or repositories, increasing risk exposure.

Audit:
Review configuration files and build pipelines to verify use of approved package managers and repositories. Check policies and documentation for defined trusted sources.

Remediation:
Create and communicate a list of approved package managers and repositories. Configure tooling and build environments to restrict or prioritize these sources. Monitor and update the list regularly.

References:

  1. OWASP Software Supply Chain Security: https://owasp.org/www-project-software-supply-chain-security/

  2. npm Security Best Practices: https://docs.npmjs.com/security

  3. CIS Controls v8, Control 4 - Secure Configuration of Enterprise Assets and Software: https://www.cisecurity.org/controls/secure-configuration-of-enterprise-assets-and-software/