CWE-1357 Detalhe

The product is built from multiple separate components, but it uses a component that is not sufficiently trusted to meet expectations for security, reliability, updateability, and maintainability.

Modos de Introdução

Requirements : Requirements might include criteria for which the only available solutions are provided by insufficiently trusted components.
Architecture and Design : An insufficiently trusted component might be selected because it is less expensive to do in-house, requires expertise that is not available in-house, or might allow the product to reach the market faster.

Plataformas Aplicáveis

Arquiteturas

Class: Not Architecture-Specific (Undetermined)

Tecnologias

Class: Not Technology-Specific (Undetermined)
Class: ICS/OT (Undetermined)

Consequências Comuns

Exemplos Observados

Mitigações Potenciais

Phases : Requirements // Architecture and Design // Implementation
For each component, ensure that its supply chain is well-controlled with sub-tier suppliers using best practices. For third-party software components such as libraries, ensure that they are developed and actively maintained by reputable vendors.
Phases : Architecture and Design // Implementation // Integration // Manufacturing
Maintain a Bill of Materials for all components and sub-components of the product. For software, maintain a Software Bill of Materials (SBOM). According to [REF-1247], "An SBOM is a formal, machine-readable inventory of software components and dependencies, information about those components, and their hierarchical relationships."
Phases : Operation // Patching and Maintenance
Continue to monitor changes in each of the product's components, especially when the changes indicate new vulnerabilities, end-of-life (EOL) plans, supplier practices that affect trustworthiness, etc.

Métodos de Detecção

Automated Static Analysis

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Eficácia : High

Notas de Mapeamento de Vulnerabilidade

Justificativa : This CWE entry is a Class and might have Base-level children that would be more appropriate
Comentário : Examine children of this entry to see if there is a better fit

Notas

As of CWE 4.10, the name and description for this entry has undergone significant change and is still under public discussion, especially by members of the HW SIG.

Referências

REF-1212

A06:2021 - Vulnerable and Outdated Components
https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components/

REF-1246

SOFTWARE BILL OF MATERIALS
National Telecommunications and Information Administration.
https://www.ntia.gov/page/software-bill-materials

REF-1247

Framing Software Component Transparency: Establishing a Common Software Bill of Materials (SBOM)
NTIA Multistakeholder Process on Software Component Transparency Framing Working Group.
https://www.ntia.gov/files/ntia/publications/ntia_sbom_framing_2nd_edition_20211021.pdf

REF-1097

Zyxel Flaw Powers New Mirai IoT Botnet Strain
Brian Krebs.
https://krebsonsecurity.com/2020/03/zxyel-flaw-powers-new-mirai-iot-botnet-strain/

Submissão

Modificações