ASVS icon indicating copy to clipboard operation
ASVS copied to clipboard

Published 20 hours ago verified publisher icon OWASP

V14.2.7 - move to V10

Open elarlang opened this issue 1 year ago • 3 comments

Spin-off from #2088, the requirement comes in via #899

# Description L1 L2 L3 CWE
14.2.7 [ADDED] Verify that third party components are sourced separately from internally owned and developed applications to prevent dependency confusion attacks. 427

For me, it is not a configuration requirement. I think it is again something to "V10.X software architecture" or "Handling software components".

elarlang avatar Oct 20 '24 13:10 elarlang

This does not seem clear enough to me. We need more detail, IMO. How about:

Verify that third-party components are sourced from distinct, verifiable repositories separate from internally developed applications to prevent dependency confusion attacks. Implement rigorous validation processes, including signature verification and integrity checks, for all external dependencies. Additionally, monitor third-party repositories for updates and vulnerabilities to reduce the risk of malicious injection or supply chain attacks.

jmanico avatar Oct 21 '24 11:10 jmanico

I think the original wording is ok. @elarlang to consider merging into the new merged requirement discussed in #2165

tghosth avatar Oct 22 '24 09:10 tghosth

"dependency confusion" is an attack against build-process and it is not something you going to check or fix with documentation.

Implementation process itself we considered to be out of scope - it is out of the application's responsibility, at the same time, we can not ignore this issue.

So we need to set the focus to the outcome - the built program code. Something like:

Verify that each 3rd party component for the application came from an expected repository for that component and there has not been dependency confusion in place.

elarlang avatar Oct 23 '24 14:10 elarlang

@elarlang how about:

# Description L1 L2 L3 CWE
14.2.7 [ADDED] Verify that third party components are being included from the expected repository, whether that is internally owned or an external source, and that there is no risk of a dependency confusion attack. 427

tghosth avatar Oct 24 '24 19:10 tghosth

Ok for me.

For section, it still seems dependency and can be together with current 14.2.1 and to be moved to V10?

elarlang avatar Oct 24 '24 19:10 elarlang

So we would create a new dependency section v10.6?

tghosth avatar Oct 24 '24 19:10 tghosth

Or is this an architecture thing?

tghosth avatar Oct 24 '24 19:10 tghosth

For me it's solving a dependency issue, not the application architecture. So, my proposal is to move current section V14.2 to V10.6.

elarlang avatar Oct 24 '24 19:10 elarlang