Profile Applicability:
Level 1
Description:
All software dependencies must be validated for authenticity, integrity, and security before being incorporated into the development process. Validation includes verifying digital signatures, checking hashes, assessing vulnerability status, and confirming compliance with licensing requirements to ensure safe and reliable use.
Rationale:
Validating dependencies mitigates risks from supply chain attacks, malicious or corrupted packages, and incompatible or vulnerable components. It enhances software quality, security posture, and compliance with organizational policies and industry standards.
Impact:
Pros:
Prevents introduction of malicious or vulnerable code.
Ensures compliance with legal and licensing obligations.
Supports stable and secure software builds.
Facilitates audit and risk management.
Cons:
May require additional tools and processes.
Could introduce delays in development workflows.
Default value:
Some environments allow dependencies without thorough validation, increasing risk exposure.
Audit:
Review dependency management logs and records of validation activities. Inspect automated tools and processes enforcing dependency validation.
Remediation:
Implement automated validation tools in CI/CD pipelines. Establish policies mandating dependency validation. Educate developers on secure dependency management practices.
References:
OWASP Dependency-Check: https://owasp.org/www-project-dependency-check/
The Update Framework (TUF): https://theupdateframework.io/
CIS Controls v8, Control 4 - Secure Configuration of Enterprise Assets and Software: https://www.cisecurity.org/controls/secure-configuration-of-enterprise-assets-and-software/