P.3.5 Prevent component vetting bypass

Control Details

Objective

Ensure developers are not bypassing the component vetting process

Definition

Audit to ensure developers are consuming components that have gone through the approved vetting process even on their own machines because developer endpoints can become infected. Restrict product build to only packages in the repository of vetted components.

Assessment Questions

1. In what ways could a developer bypass the component vetting process?
2. What are the mechanisms in place to monitor whether developers are consuming third party code through the approved ingestion method and not bypassing the vetting process?

Reference sources

1. S2C2F AUD-2
2. OSPS OSPS-AC-03 OSPS-BR-01 OSPS-BR-05 OSPS-QA-01 OSPS-QA-03 OSPS-QA-07