Profile Applicability:
Level 1
Description:
All open-source components and their interdependencies must be actively monitored to identify security vulnerabilities, license compliance issues, and compatibility conflicts. Continuous monitoring involves tracking updates, security advisories, and changes in all dependent components within the software supply chain.
Rationale:
Monitoring dependencies between open-source components reduces the risk of introducing vulnerable or incompatible libraries into the software. It supports timely identification and remediation of security flaws and compliance violations, thereby enhancing the overall security and stability of the software.
Impact:
Pros:
Early detection of vulnerabilities in dependencies.
Ensures license compliance across all components.
Improves software reliability and compatibility.
Facilitates proactive risk management and incident response.
Cons:
Requires investment in monitoring tools and processes.
May increase operational workload for development and security teams.
Default value:
Many organizations do not actively monitor the full dependency chain of open-source components, leading to unmanaged risks.
Audit:
Review reports and alerts from dependency monitoring tools. Verify that updates and vulnerability advisories for open-source components are tracked and acted upon.
Remediation:
Implement automated tools for continuous dependency monitoring and vulnerability scanning (e.g., OWASP Dependency-Check, Snyk). Define processes to review and address findings regularly. Educate teams on managing open-source dependencies securely.
References:
OWASP Dependency-Check: https://owasp.org/www-project-dependency-check/
GitHub Dependabot: https://docs.github.com/en/code-security/dependabot
CIS Controls v8, Control 4 - Secure Configuration of Enterprise Assets and Software: https://www.cisecurity.org/controls/secure-configuration-of-enterprise-assets-and-software/