T1195.001 Compromise Software Dependencies and Development Tools

The mitigative applications of this control relate to (e) "software supply chain risk management practices for ensuring software integrity, traceability, and provenance (e.g., software build practices, component management, and use of Software Bill of Materials (SBOMs))" SBOMs are known to provide transparency into software components, which may enable the identification of vulnerable software libraries, components, or code and mitigate the injection or execution of vulnerable or malicious code.

The mitigative applications of this control relate to (e) "software supply chain risk management practices for ensuring software integrity, traceability, and provenance (e.g., software build practices, component management, and use of Software Bill of Materials (SBOMs))" SBOMs are known to provide transparency into software components, which may enable the identification of vulnerable software libraries, components, or code and mitigate the injection or execution of vulnerable or malicious code.

This control requires both CSP and CSC to independently manage third-party and open-source libraries by maintaining accurate inventories, integrating with vulnerability databases, automating patching and updates, using dependency and scanning tools to mitigate risks from library vulnerabilities.

Data protection by design and default is emphasized in this control, requiring proactive integration of security and privacy measures at every stage of the SDLC and across all components. Applications often depend on external software to function properly. Popular open source projects that are used as dependencies in many applications may be targeted as a means to add malicious code to users of the dependency. In terms of mitigation, application developers should be cautious when selecting third-party libraries to integrate into their application. Additionally, where possible, developers should lock software dependencies to specific versions that are known to be secure rather than pulling the latest version on build.

This control applies to the secure deployments of applications and emphasizes the prevention of misconfigurations and malicious deployment activities. Standardized deployment templates, a curated list of approved automation/deployment tools, and vetting of IaC libraries reduce the chance that malicious third‑party code or compromised build tools enter the pipeline.

This control requires both Cloud Service Providers and customers to implement a Secure Software Development Lifecycle (SSDLC) with security practices throughout the entire application development process to protect cloud-based applications from cyber threats. Adversaries may manipulate source code in open-source dependencies for the purpose of compromise to add malicious code to users of the dependency. SSDLC should validate open-source components to prevent the use of malicious or vulnerable dependencies.

The control outlines several testing approaches, including the use of automated tools, to identify vulnerabilities throughout the software development lifecycle from development to production. It emphasizes testing for risks such as injection attacks and session hijacking, and recommends alignment with industry standards like the OWASP Top 10 to enhance application security. Adversaries may manipulate software dependencies and development tools prior to receipt by a final consumer for the purpose of data or system compromise. A vulnerability scanner can be used to identify any third-party issues as outlined in the implementation guidelines.