DevSecOpsGuideline icon indicating copy to clipboard operation
DevSecOpsGuideline copied to clipboard

Published 20 hours ago verified publisher icon OWASP

Dependency Security Management & Continuous Dependency Remediation

Open ducthinh993 opened this issue 1 year ago • 0 comments

In the modern AppSec program, it's necessary to "shift-left" security & governance for dependency from the Code to the Plan stage.

Conceptual approach

Plan phrase:

For OSS Dependency:

For vendor and third-party dependency:

  • Involve SBOM as artifacts release manifest in order to be aware of downstream dependencies. The benefits of the SBOM approach allow the security team to perform security assessments without the need for source code - might not available with third-party

Building private dependencies registry to secure store and sign-off for dependency to prevent availability and tampering issues from upstream maintainers

Code phrase:

  • Setup proper dependency security scanning tool in CI/CD pipeline
  • Setup Dependency Vulnerability Assessment to continuously scan and alerts for new finding developers

ducthinh993 avatar Jun 16 '23 06:06 ducthinh993