Profile Applicability:
Level 1
Description:
Automated vulnerability scanning tools must be deployed to analyze all open-source packages used within the software for known security vulnerabilities. These scanners help identify outdated, vulnerable, or compromised packages to facilitate timely remediation and reduce supply chain risks.
Rationale:
Open-source components can contain vulnerabilities that expose software to attacks. Continuous scanning of used packages enables early detection and mitigation, improving overall software security and compliance with industry standards.
Impact:
Pros:
Early identification of vulnerable open-source packages.
Supports timely patching and upgrades.
Enhances software supply chain security.
Facilitates compliance and audit readiness.
Cons:
Requires integration and maintenance of scanning tools.
Potential for false positives requiring manual validation.
Default value:
Many organizations do not routinely scan open-source packages for vulnerabilities, increasing risk exposure.
Audit:
Review vulnerability scan reports and remediation records for open-source packages. Verify integration of scanning tools in CI/CD pipelines.
Remediation:
Adopt tools like OWASP Dependency-Check, Snyk, or GitHub Dependabot for continuous scanning. Define policies for addressing identified vulnerabilities. Train developers on secure dependency management.
References:
OWASP Dependency-Check: https://owasp.org/www-project-dependency-check/
GitHub Dependabot: https://docs.github.com/en/code-security/dependabot
CIS Controls v8, Control 4 - Secure Configuration of Enterprise Assets and Software: https://www.cisecurity.org/controls/secure-configuration-of-enterprise-assets-and-software/