netfl0
commented
1 year ago After some consideration here are a few distinctions we want to make.
Library pinning can occur at multiple stages SDLC and Operations.
Compiled Languages with static libraries Software build - languages with dynamic libraries Software packaging and dynamic libraries
Some of this would fall under Application Hardening, some under the forthcoming Source Code Hardening. I am trying to determine if some of this would exclusively under Platform Hardening.
We ought to add all types of this to D3FEND, but we need to base our definitions around specific implementations. Thus, this contribution needs to add references to the specific technology you're referring to. (RPM, NPM, GO packaging ecosystem, etc)
Please provide some additional context about the implementation(s) you're referring to. We want to be able to make distinctions between any differences in implementation.
Library Version Pinning
Digital Artifacts
File Content Rules analyzes File
Definition
Ensure only certain versions are used ie. "pinned down" for all libraries used across scripts and code to ensure only vetted versions are being used organization wide.
How it works
Version Pinning is the practice of freezing third party dependency versions used in code. This way we ensure all third party code that is being ingested is stamped with a version number that has been verified to contain non-malicious code.
With supply chain attacks increasing, version pinning ensures we do not default to the latest version without prior verification, reducing the attack surface for supply chain attacks
Considerations
While pinning down versions ensures that only known versions of libraries are used, any inherent vulnerabilities present in that version of dependency might go unnoticed. As a countermeasure, a robust upgrade and patching plan must be in place.
Contributed By
Cyware Labs, Aashiq Ramachandran
Synonyms
Dependency Pinning
MITRE D3FEND Tactic
Harden