4 Third-Party Risk: Protecting the SDLC
This chapter covers
- Understanding how third-party dependencies make their way into the SDLC
- Learning how malicious actors attack open source and vendor software and exploit it
- Approaches to protecting systems from ingesting bad third-party dependencies
In the previous chapter we learned how to protect some early tasks in an SDLC cycle by instituting policies that ensure security is prioritized and ensuring only approved devices can access internal systems involved in the SDLC whether they are development systems or project planning software. We can now go a step further and look at what happens once we start to pull in third-party source code, artifacts, and other dependencies.