From 872f7efa0bb756bf27d88d769c0a93fff3a9b1c1 Mon Sep 17 00:00:00 2001 From: Elar Lang Date: Fri, 25 Oct 2024 09:40:35 +0300 Subject: [PATCH] #2088 move dependency pieces to V10 --- 5.0/en/0x18-V10-Coding.md | 3 +++ 5.0/en/0x22-V14-Config.md | 3 --- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/5.0/en/0x18-V10-Coding.md b/5.0/en/0x18-V10-Coding.md index 600f9a87a..dd4dca56a 100644 --- a/5.0/en/0x18-V10-Coding.md +++ b/5.0/en/0x18-V10-Coding.md @@ -66,6 +66,8 @@ Complying with this section is likely to be operational and continuous. ## 10.6 Code Dependencies +Dependency management is critical to the safe operation of any application of any type. Failure to keep up to date with outdated or insecure dependencies is the root cause of the largest and most expensive attacks to date. While being up-to-date with patches is essential, relying solely on updates for publicly disclosed vulnerabilities introduces risk, as vendors may fix security issues without public announcements. + | # | Description | L1 | L2 | L3 | CWE | | :---: | :--- | :---: | :---: | :---: | :---: | | **10.6.1** | [MODIFIED, MOVED FROM 14.2.1] Verify that all components are up to date. | ✓ | ✓ | ✓ | | @@ -78,3 +80,4 @@ For more information, see also: * [Reference on Protecting against DOM Clobbering](https://domclob.xyz/domc_wiki/indicators/patterns.html#secure-patterns--guidelines) * [OWASP Prototype Pollution Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Prototype_Pollution_Prevention_Cheat_Sheet.html) * [OWASP Mass Assignment Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html) +* [Software Component Verification Standard V2 L1-3 requirements](https://github.com/OWASP/Software-Component-Verification-Standard/blob/master/en/0x11-V2-Software_Bill_of_Materials.md) diff --git a/5.0/en/0x22-V14-Config.md b/5.0/en/0x22-V14-Config.md index 0204c4465..4eb0065b6 100644 --- a/5.0/en/0x22-V14-Config.md +++ b/5.0/en/0x22-V14-Config.md @@ -33,8 +33,6 @@ Compliance with this section requires an automated build system, and access to b ## V14.2 Dependency -Dependency management is critical to the safe operation of any application of any type. Failure to keep up to date with outdated or insecure dependencies is the root cause of the largest and most expensive attacks to date. While being up-to-date with patches is essential, relying solely on updates for publicly disclosed vulnerabilities introduces risk, as vendors may fix security issues without public announcements. - Note: At Level 1, 14.2.1 compliance relates to observations or detections of client-side and other libraries and components, rather than the more accurate build-time static code analysis or dependency analysis. These more accurate techniques could be discoverable by interview as required. | # | Description | L1 | L2 | L3 | CWE | @@ -99,5 +97,4 @@ For more information, see also: * [OWASP Web Security Testing Guide 4.1: Testing for HTTP Verb Tampering]( https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/07-Input_Validation_Testing/03-Testing_for_HTTP_Verb_Tampering.html) * [OWASP Web Security Testing Guide 4.1: Configuration and Deployment Management Testing](https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/README.html) * [Defining multiple repositories in Maven](https://maven.apache.org/guides/mini/guide-multiple-repositories.html) -* [Software Component Verification Standard V2 L1-3 requirements](https://github.com/OWASP/Software-Component-Verification-Standard/blob/master/en/0x11-V2-Software_Bill_of_Materials.md) * [Tips to Reduce the Attack Surface When Using Third-Party Libraries](https://www.slideshare.net/KatyAnton1/tips-to-reduce-the-attack-surface-when-using-thirdparty-libraries)