Controls

Terug naar overzicht
Version

SB.14.010 Third Party Apps and Libraries

High
High
High
Secure Development
System Owner
v2.0 (Q1 2024)

Description

A documented risk analysis is available for each third-party app used by the application.

Third party apps and libraries are tracked for vulnerabilities and security updates as part of the main app.

Specification

The risk analysis is documented and contains at least the following:

  • Are the third-party apps and their codes tested for security (before or in scope of pen tests on the entire application)?
  • What are the benefits of the third-party app and what are the potential risks of using it?
  • How are the third-party apps and libraries maintained, updated and patched?

Only third-party software that is deemed secure is allowed to be used.

The build processes generate provenance and implement SLSA: https://slsa.dev/