Adversaries may manipulate software dependencies and development tools prior to receipt by a final consumer for the purpose of data or system compromise. Applications often depend on external software to function properly. Popular open source projects that are used as dependencies in many applications may be targeted as a means to add malicious code to users of the dependency.(Citation: Trendmicro NPM Compromise)
Targeting may be specific to a desired victim set or may be distributed to a broad set of consumers but only move on to additional tactics on specific victims.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.PS-06.01 | Secure SDLC process | Mitigates | T1195.001 | Compromise Software Dependencies and Development Tools |
Comments
This diagnostic statement provides for the use of secure development processes and procedures. This includes being cautious when selecting third-party libraries to integrate into applications.
References
|
| PR.PS-06.01 | Secure SDLC process | Mitigates | T1195.001 | Compromise Software Dependencies and Development Tools |
Comments
This diagnostic statement provides for the use of secure development processes and procedures. This includes being cautious when selecting third-party libraries to integrate into applications.
References
|
| DE.CM-09.01 | Software and data integrity checking | Mitigates | T1195.001 | Compromise Software Dependencies and Development Tools |
Comments
This diagnostic statement protects against Compromise Software Dependencies and Development Tools through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures.
References
|
| ID.RA-01.03 | Vulnerability management | Mitigates | T1195.001 | Compromise Software Dependencies and Development Tools |
Comments
This diagnostic statement provides protection from vulnerabilities in exposed applications from across the organization through the use of tools that scan for and review vulnerabilities along with patch management and remediation of those vulnerabilities. Scanning and addressing vulnerabilities in software dependencies can help reduce the attack surface for the organization and protect against adversaries looking for ways to access its systems.
References
|
| PR.PS-02.01 | Patch identification and application | Mitigates | T1195.001 | Compromise Software Dependencies and Development Tools |
Comments
This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. A patch management process can help prevent supply chain compromise through checking unused dependencies, unmaintained and/or previously vulnerable dependencies, unnecessary features, components, files, and documentation.
References
|
| PR.PS-06.06 | Vulnerability remediation | Mitigates | T1195.001 | Compromise Software Dependencies and Development Tools |
Comments
This diagnostic statement provides for identifying and remediating vulnerabilities as part of the SDLC. Continuous monitoring of vulnerability sources and the use of automatic and manual code review tools can mitigate Supply Chain Compromise.
References
|
| EX.DD-04.01 | Third-party systems and software evaluation | Mitigates | T1195.001 | Compromise Software Dependencies and Development Tools |
Comments
This diagnostic statement describes the organization's formal process for evaluating externally-sourced applications, software, and firmware by assessing compatibility, security, integrity, and authenticity before deployment and after major changes. For example, requiring software from external vendors to be signed with valid certificates before deployment to aid in mitigating software supply chain attacks.
References
|
| EX.MM-01.01 | Third-party monitoring and management resources | Mitigates | T1195.001 | Compromise Software Dependencies and Development Tools |
Comments
This diagnostic statement protects against Supply Chain Compromise through the implementation of procedures for management of third party products.
References
|
| PR.PS-06.07 | Development and operational process alignment | Mitigates | T1195.001 | Compromise Software Dependencies and Development Tools |
Comments
This diagnostic statement protects against Compromise Software Dependencies and Development Tools through the use of DevSecOps, secure development lifecycle, and application developer guidance. Exploitable weaknesses can be mitigated through secure code, reduced vulnerabilities, and secure design principles.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| azure_update_manager | Azure Update Manager | technique_scores | T1195.001 | Compromise Software Dependencies and Development Tools |
Comments
This control provides coverage of some aspects of software supply chain compromise since it enables automated updates of software and rapid configuration change management.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| assured_oss | Assured Open Source Software | technique_scores | T1195.001 | Compromise Software Dependencies and Development Tools |
Comments
Assured OSS provides Google OSS packages built with security features to help improve the security of a software supply chain, including vulnerability testing, signed provenance, and secured distribution.
References
|