CWE•Class•Incomplete•0 recent CVEs
CWE-1357Reliance on Insufficiently Trustworthy Component
Description
The product is built from multiple separate components, but it uses a component that is not sufficiently trusted to meet expectations for security, reliability, updateability, and maintainability.
[object Object]
Common consequences
- Other→Reduce Maintainability
Potential mitigations
- Requirements,Architecture and Design,ImplementationFor each component, ensure that its supply chain is well-controlled with sub-tier suppliers using best practices. For third-party software components such as libraries, ensure that they are developed and actively maintained by reputable vendors.
- Architecture and Design,Implementation,Integration,ManufacturingMaintain a Bill of Materials for all components and sub-components of the product. For software, maintain a Software Bill of Materials (SBOM). According to [REF-1247], "An SBOM is a formal, machine-readable inventory of software components and dependencies, information about those components, and their hierarchical relationships."
- Operation,Patching and MaintenanceContinue to monitor changes in each of the product's components, especially when the changes indicate new vulnerabilities, end-of-life (EOL) plans, supplier practices that affect trustworthiness, etc.