...

• Direct dependencies are straightforward.
  • Upgrade direct dependencies to the latest supported version with each release.
  • Prioritize upgrading direct dependencies with effective vulnerabilities.
    • An effective vulnerability is one that can be executed by the application containing it.
    • Not all vulnerabilities in a package are in code that is used by the application.
  • Prioritize upgrading direct dependencies on deprecated versions.
  • Prioritize upgrading direct dependencies containing vulnerable dependencies.
  • Dependencies with zero-day critical vulnerabilities may require upgrades and emergency releases. A good example is Log4J.
• Transitive dependencies are more difficult.
  • May be resolved by upgrading to a newer version of the direct dependency containing it.
  • Some transitive dependencies can be upgraded independent, but this requires more testing.
• How to automate the mitigation?
  • Some container scanning tools can automatically upgrade open source dependencies used in container base images.

Threats and industry trends analysis

This area will be used to track trends and emerging threats related to security.

Security Initiatives

• https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/
• https://openssf.org/oss-security-mobilization-plan/
• https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act
• https://www.whitehouse.gov/briefing-room/statements-releases/2023/08/09/biden-harris-administration-launches-artificial-intelligence-cyber-challenge-to-protect-americas-critical-software/