Profile Applicability:
Level 1
Description:
All third-party software artifacts and open-source libraries used in the development process must be verified for authenticity and integrity before integration. Verification includes checking digital signatures, hash values, and source reputations to ensure the components have not been tampered with or replaced by malicious versions.
Rationale:
Verifying third-party and open-source components mitigates risks associated with supply chain attacks, unauthorized modifications, and inclusion of vulnerable or malicious code. It supports maintaining software trustworthiness and compliance with security policies and regulatory requirements.
Impact:
Pros:
Prevents integration of compromised or malicious components.
Enhances software supply chain security.
Supports compliance and audit readiness.
Facilitates incident response and forensic analysis.
Cons:
Requires tooling and processes for verification.
May increase build and integration complexity.
Default value:
Some organizations may not consistently verify third-party or open-source components, exposing themselves to risks.
Audit:
Review logs and records of artifact and library verification activities. Inspect build and deployment pipelines for enforced verification steps.
Remediation:
Implement automated verification of digital signatures and checksums for all third-party and open-source dependencies. Establish policies requiring verification prior to integration. Train teams on verification processes and tools.
References:
The Update Framework (TUF): https://theupdateframework.io/
OWASP Software Supply Chain Security: https://owasp.org/www-project-software-supply-chain-security/
CIS Controls v8, Control 4 - Secure Configuration of Enterprise Assets and Software: https://www.cisecurity.org/controls/secure-configuration-of-enterprise-assets-and-software/