T1195.001 Compromise Software Dependencies and Development Tools

This diagnostic statement provides for the use of secure development processes and procedures. This includes being cautious when selecting third-party libraries to integrate into applications.

This diagnostic statement protects against Compromise Software Dependencies and Development Tools through the use of verifying integrity of software/firmware, loading software that is trusted, ensuring privileged process integrity and checking software signatures.

This diagnostic statement provides protection from vulnerabilities in exposed applications from across the organization through the use of tools that scan for and review vulnerabilities along with patch management and remediation of those vulnerabilities. Scanning and addressing vulnerabilities in software dependencies can help reduce the attack surface for the organization and protect against adversaries looking for ways to access its systems.

This diagnostic statement is related to the implementation of a patch management program. Applying patches and upgrades for products and systems provided by vendors mitigates the risk of adversaries exploiting known vulnerabilities. A patch management process can help prevent supply chain compromise through checking unused dependencies, unmaintained and/or previously vulnerable dependencies, unnecessary features, components, files, and documentation.

This diagnostic statement provides for identifying and remediating vulnerabilities as part of the SDLC. Continuous monitoring of vulnerability sources and the use of automatic and manual code review tools can mitigate Supply Chain Compromise.

This diagnostic statement describes the organization's formal process for evaluating externally-sourced applications, software, and firmware by assessing compatibility, security, integrity, and authenticity before deployment and after major changes. For example, requiring software from external vendors to be signed with valid certificates before deployment to aid in mitigating software supply chain attacks.

This diagnostic statement protects against Supply Chain Compromise through the implementation of procedures for management of third party products.

This diagnostic statement protects against Compromise Software Dependencies and Development Tools through the use of DevSecOps, secure development lifecycle, and application developer guidance. Exploitable weaknesses can be mitigated through secure code, reduced vulnerabilities, and secure design principles.

The following Microsoft Sentinel Hunting queries can identify potentially malicious changes to Azure DevOps project resources: "Azure DevOps - Project Visibility changed to public" can identify a specific action that may be an indicator of an attacker modifying the cloud compute infrastructure. "Azure DevOps - Public project created" and "Azure DevOps - Public project enabled by admin" can identify specific instances of potential defense evasion. The following Microsoft Sentinel Analytics queries can identify potentially malicious changes to Azure DevOps project resources: "AzureDevops Service Connection Abuse" can detect potential malicious behavior associated with use of large number of service connections, "External Upstream Source added to Azure DevOps" identifies a specific behavior that could compromise the DevOps build pipeline, "Azure DevOps Pull Request Policy Bypassing - History" can identify specific potentially malicious behavior that compromises the build process, "Azure DevOps Pipeline modified by a New User" identifies potentially malicious activity that could compromise the DevOps pipeline, "Azure DevOps Administrator Group Monitoring" monitors for specific activity which could compromise the build/release process, "New Agent Added to Pool by New User or a New OS" can detect a suspicious behavior that could potentially compromise DevOps pipeline.

This control provides coverage of some aspects of software supply chain compromise since it enables automated updates of software and rapid configuration change management.

Assured OSS provides Google OSS packages built with security features to help improve the security of a software supply chain, including vulnerability testing, signed provenance, and secured distribution.