Threat On The Wire
Software application showing third-party and open source components with SBOM inventory and dependency management
CISSP Domain 8 Software Development Security

Managing Third Party And Open Source Risk In Software

J
J

Why this matters

CISSP lens

Pick answers that align business risk, governance intent, and practical control execution.

Most modern applications are built from open source libraries, third party SDKs, and external APIs. You own the risk of these components even if you did not write them. CISSP Domain 8 treats this as a core software development security concern.

Core concept

Your software supply chain includes every component, library, tool, and service that ends up in or around your application.

Risks include:

  • Known vulnerabilities in libraries and frameworks.
  • Malicious or compromised packages.
  • Abandoned components that no longer receive fixes.
  • License terms that conflict with your obligations.
  • Third party APIs that handle sensitive data poorly.

Managing this risk has both technical and governance parts.

Software composition and SBOMs

Software composition analysis tools:

  • Scan your code and builds for known libraries and versions.
  • Map them to vulnerability databases.
  • Help you generate a software bill of materials (SBOM).

An SBOM is a structured list of components included in a piece of software. It lets you answer questions like "where do we use this vulnerable library" quickly.

Evaluating and approving components

Before adding a new library or SDK:

  • Check its maintenance activity, release history, and community support.
  • Review known vulnerabilities and responsiveness of maintainers.
  • Confirm license terms are acceptable.
  • Prefer well known, actively maintained projects over obscure ones.

For third party APIs and services:

  • Assess their security practices and certifications where appropriate.
  • Review how they handle data, logging, and incident response.
  • Ensure contracts and SLAs reflect security expectations.

Ongoing monitoring

Risk does not end when you choose a component. You need:

  • Regular SCA scans of key repositories.
  • Alerts or reports when new vulnerabilities affect your components.
  • Processes for prioritizing and applying updates.

CISSP lens

Domain cross-reference

Domain 8 expects you to:

  • Recognize that third party and open source risk is part of software development security.
  • Use SBOMs and SCA to gain visibility into components.
  • Integrate vendor management, legal review, and technical controls.
  • Prioritize structured processes over ad hoc decisions by individual developers.

In exam scenarios, look for answers that establish policies and systematic controls, such as approving components centrally, maintaining an inventory, and monitoring for vulnerabilities.

Real-world scenario

A popular open source logging library used by many applications in an organization is found to have a severe remote code execution vulnerability.

Teams initially have no idea where it is used or which versions are deployed. It takes days to gather this information manually.

After the crisis, the company implements:

  • SCA on critical code bases, storing SBOMs for each release.
  • A simple approval workflow for new libraries, focused on high risk areas.
  • Subscription to vulnerability feeds that map to their SBOMs.
  • Playbooks for responding to future component level incidents.

When a later issue affects a different library, they identify affected systems within hours and push updates much more quickly.

Supply chain attack patterns

Attackers have industrialized the insight that compromising one component compromises everyone who uses it. The named patterns are worth knowing because exam scenarios and real advisories describe them precisely:

Attack patternHow it worksDefense
TyposquattingMalicious package published under a near-identical name (requets vs requests)Curated internal registries, careful dependency review
Dependency confusionPublic package published with the same name as a private internal one, build systems fetch the public versionNamespace reservation, registry resolution order, scoped packages
Maintainer compromiseLegitimate package updated with malicious code after account takeover or social engineering of the maintainerVersion pinning, delay windows before adopting new releases, update review
Build system compromiseThe vendor's own build pipeline is breached and signs malicious outputVendor assurance, provenance verification, egress monitoring

Note what changed in your mental model: the question is no longer just "does this library have known CVEs?" but "can I trust the path this artifact took to reach my build?"

Pinning, provenance, and signed artifacts

Three engineering disciplines convert that trust question into controls:

  • Version pinning and lockfiles. Builds reference exact versions (and ideally content hashes), not floating ranges. A new release of a dependency cannot silently enter your build; adopting it becomes a reviewed change. The trade-off is a deliberate update cadence, because pinning without updating just freezes old vulnerabilities in place.
  • Provenance. Frameworks like SLSA (Supply-chain Levels for Software Artifacts) define what it means to know where an artifact came from: who built it, from what source, on what system. Higher levels require builds on hardened, verifiable infrastructure. You will increasingly see provenance attestations shipped alongside artifacts.
  • Artifact signing and verification. Signing ties an artifact to its publisher; verification at deploy time ensures only signed, expected artifacts run. Combined with an SBOM, this gives you both "what is in it" and "who vouches for it".

A practical maturity order for most teams: lockfiles everywhere, then SCA with SBOM generation, then signature verification for your own artifacts, then provenance requirements for high-risk third-party components.

Governance beyond the tooling

Technical controls handle the components; governance handles the relationships. The contract and process side that exam answers favor: a defined component approval policy proportionate to risk (a UI date-picker and a cryptography library should not face the same bar), security clauses in vendor contracts including breach notification timelines and the right to receive SBOMs, a maintained inventory connecting components to the systems that contain them, and an exit plan for components and vendors alike. Abandoned open source needs a fork-or-replace decision the same way a failing vendor needs an off-boarding plan. This connects software-level controls to enterprise supply chain risk management, where the same thinking applies to every supplier, not just code.

Common mistakes

Allowing unrestricted use of any library or package without review.

Failing to track which components and versions are in use across applications.

Ignoring license obligations or assuming they are someone else’s problem.

Treating third party APIs as trusted simply because they are widely used.

Assuming cloud providers fully manage the security of all components you deploy.

Actionable checklist

  • Run SCA on your most critical repositories and record the results.
  • Start building SBOMs for key applications and tie them to releases.
  • Establish simple guidelines for selecting new libraries, including minimum maintenance and security expectations.
  • Ensure contracts for important third party services include security clauses and notification requirements for incidents.
  • Subscribe to vulnerability alerts for your major components and plan how you will respond.
  • Practice a mini supply chain incident drill, tracing one vulnerable library across your applications and simulating an update.

Key takeaways

  • Most of your application is code you did not write, and you are responsible for its risk.
  • SCA and SBOMs provide visibility that is essential for managing vulnerabilities.
  • Governance, such as approval processes and vendor contracts, is as important as technical scanning.
  • CISSP Domain 8 expects structured management of third party and open source components.

Exam-style reflection

Exam practice

A development team wants to add a new open source encryption library to a critical system. What should the security manager ensure before approving it.

Short answer: Confirm that the library is actively maintained, has acceptable licensing, has been reviewed for known vulnerabilities, and will be tracked in SBOM and SCA processes so future issues can be managed.

Keep learning: Waterfall, Agile, DevOps, CISSP Domain 8 Exam Scenario Deep Dive.

This article is part of the CISSP Domain 8: Software Development Security study guide. Use the pillar to navigate every article in this domain.

You might also like
Secure Coding Foundations For Managers
CISSP
members

Secure Coding Foundations For Managers

J
J
Security Operations Foundations: Running Day to Day Security Without Burning Out Your Team
CISSP
members

Security Operations Foundations: Running Day to Day Security Without Burning Out Your Team

J
J
Security Assessment And Testing Fundamentals: How To Know If Your Controls Actually Work
CISSP
members

Security Assessment And Testing Fundamentals: How To Know If Your Controls Actually Work

J
J
© 2025 Threat On The Wire. All rights reserved.