Are you attending Black Hat or Def Con? Book a meeting

Young hacker smiling

Zero false positives

Expert intelligence + effective automation

REQ.262 Verify third-party components

This document contains the details of the security requirements related to the definition and management of third-party services in the organization. This requirement establishes the importance of verifying that third-party components are always up to date in a stable and tested version.

Requirement

The components provided by third-parties must be implemented in stable, tested and updated versions.

Description

  1. The organization must ensure that all its products and the products provided by third-parties are up to date to the latest stable and tested version, reducing the risk of exploiting vulnerabilities reported in previous versions.

  2. When a product changes its version, the implemented improvements must be checked to verify if there were fixes or new controls related to recently discovered vulnerabilities.

Implementation

  1. Identify all the products that compose the technology stack, including operating systems, versions, dependencies, logical and physical authentication, features and person in charge. This inventory must be kept updated.

  2. Monitor the security of all identified components in public databases, implementing alerts when public vulnerabilities are disclosed in the products used by the organization and determining the affectation level caused by the reported vulnerability.

  3. Apply the necessary updates taking into account the vulnerability type, the affected components, and the risk classification within the organization.

  4. Define security policies for the used components, requiring updated versions, specific software, ethical hacking and product licenses; include internal policies to disable unused features and update default settings that may pose a risk to the organization.

Attacks

  1. An attacker obtains technical information about a specific product. If the service/software is out of date, there could be public exploits [1] designed to attack known vulnerabilities present in previous versions of the product.

Attributes

  1. Layer: Application layer.

  2. Asset: Services and functions.

  3. Scope: Stability.

  4. Phase: Operation.

  5. Type of Control: Recommendation.


Service status - Terms of Use