CWE-1357
Reliance on Insufficiently Trustworthy Component
The product is built from multiple separate components, but it uses a component that is not sufficiently trusted to meet expectations for security, reliability, updateability, and maintainability.
Mitigation
Phases: Requirements, Architecture and Design, Implementation
Description:
- For each component, ensure that its supply chain is well-controlled with sub-tier suppliers using best practices. For third-party software components such as libraries, ensure that they are developed and actively maintained by reputable vendors.
Mitigation
Phases: Architecture and Design, Implementation, Integration, Manufacturing
Description:
- Maintain a Bill of Materials for all components and sub-components of the product. For software, maintain a Software Bill of Materials (SBOM). According to [REF-1247], "An SBOM is a formal, machine-readable inventory of software components and dependencies, information about those components, and their hierarchical relationships."
Mitigation
Phases: Operation, Patching and Maintenance
Description:
- Continue to monitor changes in each of the product's components, especially when the changes indicate new vulnerabilities, end-of-life (EOL) plans, supplier practices that affect trustworthiness, etc.
No CAPEC attack patterns related to this CWE.