Skip to content

Commit

Permalink
Re resolve #899 by clarifying 14.2.7
Browse files Browse the repository at this point in the history
  • Loading branch information
tghosth authored and elarlang committed Jan 24, 2024
1 parent 6bf340f commit 212b0ee
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion 5.0/en/0x22-V14-Config.md
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@ Note: At Level 1, 14.2.1 compliance relates to observations or detections of cli
| **14.2.4** | Verify that third party components come from pre-defined, trusted and continually maintained repositories. ([C2](https://owasp.org/www-project-proactive-controls/#div-numbering)) | ||| 829 |
| **14.2.5** | Verify that a Software Bill of Materials (SBOM) is maintained of all third party libraries in use. ([C2](https://owasp.org/www-project-proactive-controls/#div-numbering)) | ||| |
| **14.2.6** | [MODIFIED, SPLIT TO 14.2.8, LEVEL L2 > L3] Verify that risky third party libraries or those with a history of vulnerabilities are encapsulated such that only required behaviour is available to the application, to reduce attack surface. ([C2](https://owasp.org/www-project-proactive-controls/#div-numbering)) | | || 1061 |
| **14.2.7** | [ADDED] Verify that third party components are sourced separately from internally owned and developed applications. |||| 441 |
| **14.2.7** | [ADDED] Verify that third party components are sourced separately from internally owned and developed applications to prevent dependency confusion attacks. |||| 427 |
| **14.2.8** | [ADDED, SPLIT FROM 14.2.6] Verify that risky third party libraries or those with a history of vulnerabilities are sandboxed away from the most sensitive system modules/services so that even if a vulnerability in the library was successfully exploited, the sensitive system modules/services would not be compromised. ([C2](https://owasp.org/www-project-proactive-controls/#div-numbering)) | | || 1061 |

Note: Certain languages and package managers, have ecosystems that require the identification of packages using multiple factors (e.g groupId and artifactId). This would allow the build process to more specifically identify a resource. In other cases, package managers operate by the order of repositories or mirrors included. Consult your package managers to specifically indicate search order.
Expand Down

0 comments on commit 212b0ee

Please sign in to comment.