Regularly reviewing and addressing the security vulnerabilities reported for third party software will decrease the risk of a compromise. For any third party libraries or software being used in the system:

• Upgrade to the latest version, or apply the latest security patches.
• Look for documentation on their security weaknesses and configure them with their most secure settings.
• Modify any of the defaults that need to be changed.
• Avoid using components with known vulnerabilities.

It is essential to review all How-tos for this countermeasure, as each one applies to a different platform or library being used.

Most third party library and framework vendors publish security bulletins for their products directly using their website. Additionally, the following sources can be used to locate security advisories and details about required patch levels for most commonly available products and libraries:

• Security Focus Vulnerability Database

  - Advisories are categorized by Vendor > Product > Version.
  

• National Vulnerability Database (NVD)
• Common Vulnerability Enumerator (by MITRE Foundation)

Imported from SD Elements: https://redhat.sdelements.com/bunits/psse-secure-development/group-2-extended-functionality-offerings/amq-clients/tasks/phase/development/141-T186/

How Tos:

How to make sure that third-party libraries are up-to-date

Most third party library/framework vendors publish security bulletins for their products via their website directly. They also have official download pages which specify the current stable release version. Follow these steps to use such information:

• Create a list of all frameworks and third party libraries that you use

• Locate security bulletin boards and download pages for those libraries and frameworks

• Visit those pages regularly and follow any upgrade recommendations for upgrade to a newer version especially when a security flaw is discovered and reported

• Sometimes security flaws are fixed in the latest versions without proper documentation and notice. Make sure you upgrade to a later version of the libraries when older versions are no longer supported or when they are very outdated

Using SCA tools to keep third-party libraries up-to-date

Software Composition Analysis (SCA) tools can help to automatically enumerate the list of third-party libraries, frameworks, and modules used in applications, as well as to identify the risks involved from using those components.

Enterprise-level SCA tools provide the following functionalities:

• Enumerating the list of third-party libraries and identifying their type.

  - Use this feature to create an inventory of all the libraries used across your applications and products.
  - Also, identify the type of libraries used. For example, a library is used for logging or is a web application framework. This can help to better estimate the risk of finding vulnerabilities in those components or to find other alternative libraries to replace them if needed.
  

• Identifying the nested dependencies.
• The libraries that you use may have dependencies on other libraries. Use this feature to create a holistic view of all direct or transitive dependencies involved in your applications and products.

• Identifying the version of the used libraries and highlighting outdated technologies.

  - Use this feature to make sure you use the latest version of the libraries. Newer versions normally improve quality and performance, and address the known security vulnerabilities.
  - Retire libraries that are no longer supported and replace them with the newer versions of the same library or alternative libraries.
  

• Identifying known vulnerabilities from different sources of vulnerability intelligence like the CVE (Common Vulnerability Enumeration) list.

  - Make sure you mitigate known vulnerabilities identified by the SCA tool. Use newer versions or alternative libraries or utilize custom security tools to avoid any exploits.
  

• Identifying the type of licenses associated with each library.

  - Software licenses may limit the types of usage or distribution of those libraries. They may also require specific actions if the component is modified. Use this feature to identify licenses and make sure you utilize libraries with licenses that do not conflict with your organization's objectives or policies.