TVM-05: External Library Vulnerabilities

CSF v1.1 References:

PF v1.0 References:

Info icon.

Control is new to this version of the control set.

Control Statement

Define, implement and evaluate processes, procedures and technical measures to identify updates for applications which use third party or open source libraries according to the organization's vulnerability management policy.

Implementation Guidance

Where a CSC or a CSP uses third party or open source libraries, these should be tracked, scanned and reported on in the integrated TVM system. Installed or used packages, libraries and/or runtimes that are part of their solution with their running version should be included. TVM scans can be performed automatically and the findings should be promptly reported to the integrated TVM system. This activity should be monitored to avoid operational gaps. The organization should leverage global threat intelligence about threat signatures and vulnerability databases that may contain indicators of attack and compromise. It should also consider implementing automated & recurring processes so that human errors can be avoided.

Auditing Guidance

  1. Examine policy for adequacy, currency, and effectiveness.
  2. Determine if a process exists to identify third-party libraries, and to evaluate their impact on the organization’s vulnerability management.

[ Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.