Security Test: Compromised Supply Chain¶

Description¶

Default Severity:

A compromised supply chain happens when an attacker targets trusted external services, libraries, or tools to sneak in malicious code. Developers rely on these components to build their applications, so if even one of them is tampered with, it can give a hacker a backdoor into your system. The danger lies in the fact that vulnerabilities in these components may remain unnoticed, letting unauthorized access or data theft go undetected until it's too late. A common pitfall is assuming that third-party tools are inherently safe, rather than actively monitoring for suspicious updates or vulnerabilities.

Reference:

https://fossa.com/blog/polyfill-supply-chain-attack-details-fixes/

Configuration¶

Identifier: configuration/compromised_supply_chain

Examples¶

All configuration available:

checks:
  configuration/compromised_supply_chain:
    skip: false # default

Compliance and Standards¶

Standard	Value
OWASP API Top 10	API9:2023
OWASP LLM Top 10	LLM06:2023
PCI DSS	`6.2`
GDPR	`Article-32`
SOC2	`CC7`
PSD2	`Article-96`
ISO 27001	`A.14.2`
NIST	`SP800-161`
CWE	`829`
CVSS Vector	`AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
CVSS Score	`8.0`