Fluid Attacks logo
Login
Contact Us
Young hacker smiling
Zero false positives

Expert intelligence + effective automation

Contact logo Contact Us
GET A DEMO

R262. Verify third-party components

This document contains the details of the security requirements related to the definition and management of third-party services in the organization. This requirement establishes the importance of verifying that third-party components are always up to date in a stable and tested version.

Requirement

The system must use stable, tested and up-to-date versions of third-party components.

Description

  1. The organization must ensure the version of all of its products and the products provided by third-parties is up to date, stable and tested. This reduces the risk of including vulnerabilities reported in previous versions.

  2. When a product changes its version, the implemented improvements must be checked to verify if there were fixes or new controls related to recently discovered vulnerabilities.

Implementation

  1. Identify all the products that compose the technology stack, including operating systems, versions, dependencies, and logical and physical authentication features. This inventory must be constantly updated.

  2. Monitor the security of all identified components in public databases, implementing alerts when public vulnerabilities are disclosed for the products used by the organization and determining the affectation level caused by the reported vulnerabilities.

  3. Apply the necessary updates taking into account the vulnerability type, the affected components, and its risk classification within the organization.

  4. Define security policies for the used components, requiring updated versions, specific software, ethical hacking and product licenses; include internal policies to disable unused features and update default settings that may pose a risk to the organization.

Attacks

  1. An attacker obtains technical information about a specific product. If the service/software is out of date, there could be public exploits [1] designed to attack known vulnerabilities present in the in-use version of the product.

Attributes

  1. Layer: Application layer.

  2. Asset: Services and functions.

  3. Scope: Stability.

  4. Phase: Operation.

  5. Type of Control: Recommendation.

References

  1. OWASP-ASVS v4.0.1 V1.14 Configuration Architectural Requirements.(1.14.1) Verify the application does not use unsupported, insecure, or deprecated client-side technologies such as NSAPI plugins, Flash, Shockwave, ActiveX, Silverlight, NACL, or client-side Java applets.

  2. Top 10 2013-A9-Using Components with Known Vulnerabilities.


Service status - Terms of Use