Description
The product’s design or architecture is built from multiple separate components, but one or more components are not under complete control of the developer, such as a third-party software library or a physical component that is built by an original equipment manufacturer (OEM).
Modes of Introduction:
– Requirements
Related Weaknesses
Consequences
Other: Reduce Maintainability
Potential Mitigations
Phase: Architecture and Design, Implementation, Integration, Manufacturing
Description:
Maintain a Bill of Materials for all components and sub-components of the product. For software, maintain a Software Bill of Materials (SBOM). According to [REF-1247], “An SBOM is a formal, machine-readable inventory of software components and dependencies, information about those components, and their hierarchical relationships.”
Phase: Operation, Patching and Maintenance
Description:
Continue to monitor changes in each of the product’s components, especially when the changes indicate new vulnerabilities, end-of-life (EOL) plans, etc.
CVE References
- CVE-2020-9054
- Chain: network-attached storage (NAS) device has a critical OS command injection (CWE-78) vulnerability that is actively exploited to place IoT devices into a botnet, but some products are “end-of-support” and cannot be patched (CWE-1277). [REF-1097]