Question: Are third-party components and open-source libraries regularly inventoried and monitored for vulnerabilities?
-
Objective — Why This Matters
Modern software relies heavily on open-source. Without visibility and updates, vulnerable components expose the entire stack. -
Maturity Levels (0 – 5)
No inventory of dependencies.
Developers update packages manually when issues arise.
Dependency list maintained per project.
Automated dependency scanning and alerts.
SBOM generated; CI/CD blocks known vulnerable packages.
Centralized governance; threat-intel feeds prioritize patches.
- How to Level Up
| From → To | Actions |
|---|---|
| 0 → 1 | List libraries manually per repo. |
| 1 → 2 | Standardize dependency file (npm audit, pip freeze). |
| 2 → 3 | Integrate SCA tool in CI. |
| 3 → 4 | Generate SBOM and enforce policy on build. |
| 4 → 5 | Add intel feeds and risk-based prioritization. |
-
People / Process / Technology Enablers
People – Developers, AppSec.
Process – SCA review workflow, update policy.
Technology – OWASP Dependency-Check, Syft, Grype, Dependabot. -
Evidence Required
SBOM files, scan reports, remediation logs. -
Metrics / KPIs
• percentage of projects with SBOM coverage
• number of outdated packages per application
• average time to update critical component -
Low-Cost / Open-Source Options (MSME)
| Purpose | Tool | Notes |
|---|---|---|
| Inventory | Syft | Generate SBOM from source or container. |
| Scanning | Grype / Dependency-Check | Detect CVE vulnerabilities. |
| Automation | Dependabot | Auto pull requests for updates. |
-
Common Pitfalls
Ignoring transitive dependencies; no approval process for new libraries. -
Compliance Mapping
| Standard | Clauses / Notes |
|---|---|
| ISO 27001 | A.8.9 / A.8.25. |
| NIST CSF 2.0 | PR.IP-1 / PR.DS-3. |
| CERT-In 2022 | Third-party component management. |
| NIRMATA Scoring | AS-Q02 ≥ Level 4 requires SBOM enforcement. |