Profile Applicability:
Level 1
Description:
All external dependencies utilized during the build process must be locked to specific, known versions using dependency lock files or equivalent mechanisms. This ensures build reproducibility, prevents unexpected updates, and minimizes risks from unvetted or malicious dependency changes.
Rationale:
Locking dependencies reduces the risk of introducing vulnerabilities or breaking changes through automatic upgrades. It enables consistent builds, easier debugging, and improved security posture by controlling the exact versions used throughout the development lifecycle.
Impact:
Pros:
Enhances build consistency and reliability.
Mitigates supply chain security risks.
Facilitates vulnerability management and auditing.
Simplifies troubleshooting and rollbacks.
Cons:
Requires maintenance of lock files and dependency updates.
May delay access to latest security patches or features.
Default value:
Many build systems do not enforce dependency locking by default, leading to variable build outputs.
Audit:
Review build configurations and repository files to confirm presence and use of dependency lock files (e.g., package-lock.json, Pipfile.lock). Verify builds consistently use locked versions.
Remediation:
Implement policies mandating use of dependency locking mechanisms. Integrate lock file verification into CI/CD pipelines. Train development teams on managing and updating locked dependencies securely.
References:
npm Package Lock File: https://docs.npmjs.com/cli/v9/configuring-npm/package-lock-json
Python Pipenv Locking: https://pipenv.pypa.io/en/latest/basics/#pipfile-and-pipfile-lock
CIS Controls v8, Control 4 - Secure Configuration of Enterprise Assets and Software: https://www.cisecurity.org/controls/secure-configuration-of-enterprise-assets-and-software/