4 Third-Party Risk: Protecting the SDLC

This chapter covers

Understanding how third-party dependencies make their way into the SDLC
Learning how malicious actors attack open source and vendor software and exploit it
Approaches to protecting systems from ingesting bad third-party dependencies

In the previous chapter we learned how to protect some early tasks in an SDLC cycle by instituting policies that ensure security is prioritized and ensuring only approved devices can access internal systems involved in the SDLC whether they are development systems or project planning software. We can now go a step further and look at what happens once we start to pull in third-party source code, artifacts, and other dependencies.

4.1 Overview

4.2 Analysis

4.2.1 Understanding the Analysis Phase

4.2.2 Identify Threats in the Analysis Phase

4.2.3 Determining Mitigations for Planning Phase Attacks

4.3 Design Phase

4.3.1 Understanding the Design Phase

4.3.2 Identify Threats in the Design Phase

4.3.3 Determining Mitigations for Design Phase Attacks

4.4 Summary

4.4.1 Answer Key