Tests for known vulnerabilities in server side components (e.g. backend/middleware) are performed.
Risk:Server side components might have vulnerabilities.
Test of the Time to Patch (e.g. based on Mean Time to Close automatic PRs) This activity is not repeated in the Sub-Dimension "Static depth for infrastructure", but it applies to infrastructure as well.
Risk:Automatic PRs for dependencies are overlooked resulting in known vulnerabilities in production artifacts.
Test `libyear`, which provides a good insight how good patch management is.
Risk:Vulnerabilities in running artifacts stay for long and might get exploited.
Design contract-first APIs using an interface description language such as OpenAPI, AsyncAPI or SOAP and validate the specification using specific tools. Checks should be integrated in IDEs and CI/CD pipelines.
Risk:Creation of insecure or non-compliant API.
Estimate the likelihood of exploitation by using data (CISA KEV) from the past or prediction models (EPSS).
Risk:Without proper prioritization, organizations may waste time and effort on low-risk vulnerabilities while neglecting critical ones.
Integration of quality and linting plugins with interactive development environment (IDEs). Implement pre-commit checks to prevent secrets and other security issues being commit to source code.
Risk:Creating and developing code contains code smells and quality issues.
Tests for known vulnerabilities in components via Software Composition Analysis of the frontend are performed.
Risk: Client side components might have vulnerabilities.
Usage of static analysis tools for important parts of the frontend are used. Static analysis uses for example string matching algorithms and/or dataflow analysis.
Risk:Important parts in the source code of the frontend have vulnerabilities.
Usage of static analysis tools for important parts of the middleware are used. Static analysis uses for example string matching algorithms and/or dataflow analysis.
Risk:Important parts in the source code of the middleware have vulnerabilities.
Test of the Patch Deployment Time. This activity is not repeated in the Sub-Dimension "Static depth for infrastructure", but it applies to infrastructure as well.
Risk:Automatic PRs for dependencies are overlooked resulting in known vulnerabilities in production artifacts.
Usage of static analysis tools for all parts of the middleware and frontend. Static analysis uses for example string matching algorithms and/or dataflow analysis.
Risk:Parts in the source code of the frontend or middleware have vulnerabilities.
Usage of multiple static tools to find more vulnerabilities.
Risk:Each vulnerability analyzer has different opportunities. By using just one analyzer, some vulnerabilities might not be found.
Collection of unused code and then manual removal of unused code.
Risk:Dead code increases the attack surface (use of hard coded credentials and variables, sensitive information)
Automatic Detection and manual removal of duplicates in source code.
Risk:Duplicates in source code might influence the stability of the application.
Usage of a static analysis for all used components.
Risk:Used components like libraries and legacy applications might have vulnerabilities
Analysis of compliance to style guides of the source code ensures that source code formatting rules are met (e.g. indentation, loops, ...).
Risk:Unclear or obfuscated code might have unexpected behavior.