A documented risk analysis is available for each third-party app used by the application.
Third party apps and libraries are tracked for vulnerabilities and security updates as part of the main app.
Specification
The risk analysis is documented and contains at least the following:
- Are the third-party apps and their codes tested for security (before or in scope of pen tests on the entire application)?
- What are the benefits of the third-party app and what are the potential risks of using it?
- How are the third-party apps and libraries maintained, updated and patched?
Only third-party software that is deemed secure is allowed to be used.
The build processes generate provenance and implement SLSA: https://slsa.dev/
ISO 27001 & 27002:2022
8.1,
A5.8,
A8.25,
A8.26,
A8.27,
A8.28,
A8.29,
A8.31,
A8.30,
A8.32
SURF toetsingskader informatiebeveiliging (NBA-volwassenheidsmodel)
SD.01 Methodology for secure development and implementation of software