Do you ensure only required modules are included in the product?
ID |
esf_s3c_dev/remove_non_require_features |
Severity |
critical |
Category |
|
Levels |
|
Optional |
false |
Tags |
SSDF-PW.7, security, supply-chain |
Description
Do you ensure only required modules are included in the product and “unused” modules and code out of scope of the requirements and design document are uninstalled or removed, mitigating “living off-the-land” attacks and decreasing the attack surface?
A project which is not active might not be patched, have its dependencies patched, or be actively tested and used. It might hold possibly unpatched vulnerabilities.
Rationale
It is important that all components and functionality of a product are architected and designed to interact with the system using secure design practices, including threat modeling and attack surface analysis. Once all security risks are identified and mitigated, architecture and design documents are finalized and disseminated to development groups for implementation.
Lowlevel design and functional specifications are created that map directly to the given architecture and high-level design, and development tasks and schedules are mapped out. During the coding and implementation of the system, care must be taken to ensure that all development efforts map to specific system requirements and that there is no “feature creep” that might compromise product integrity or inject vulnerabilities.
Verification
If the project is archived, it receives the lowest score with FAIL compliance.
The activity considered on the project during the previous period (of 90 days by default) is:
-
Commits
-
Changes in issues (including comments) from users who collaborators, members, or owners of the project.
If the activity per week (number of commits or issue changes) exceeds the minimum activity threshold per week, the project receives a PASS with maximum score.
If the activity is below this threshold, the project receives a PARTIAL compliance.