P.3.1 Component and container choice

Control Details

Objective

Make informed third-party component and container choices.

Definition

Consider component characteristics, such as the use of secure SDLC practice, evidence of ongoing maintenance, and open vulnerabilities, as quality indicators of direct and transitive dependencies. OpenSSF Scorecard metrics may be used as an indication of the security posture of a component. Components with the least functionality reduce the attack surface. Have a deny-list that prevents malicious components from being consumed.

Assessment Questions

1. What kind of approval process do you have, if any, for third-party libraries and containers included in a product?
2. What do you consider when selecting a third-party component or container?
3. Is considering solutions with the least functionality to reduce the attack surface part of your component selection process?
4. How would the approval process handle dependencies that are no longer receiving updates?
5. How do the OpenSSF Scorecard metrics factor in to decisions you make about components?
6. Are you concerned when a component contains binary artifacts that cannot be easily reviewed and more easily sneak in a vulnerability?
7. Do you have a Deny List to prevent the choice of vulnerable and malicious components?

Reference sources

1. BSIMM SR1.5
2. 800-161 CM-7 SI-3
3. OSSF-Scorecard binary-artifacts contributors maintained
4. S2C2F ING-3
5. CNCF-SSC M: Second and third-party risk management
6. OSPS OSPS-BR-05 OSPS-DO-03 OSPS-DO-06 OSPS-QA-02