framework-mcp 2.2.2 → 2.3.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -73,7 +73,18 @@ jobs:
73
73
  - name: Build
74
74
  run: npm run build
75
75
 
76
+ - name: Check if version exists on npm
77
+ id: version-check
78
+ run: |
79
+ PACKAGE_VERSION=$(node -p "require('./package.json').version")
80
+ if npm view framework-mcp@$PACKAGE_VERSION version 2>/dev/null; then
81
+ echo "exists=true" >> $GITHUB_OUTPUT
82
+ else
83
+ echo "exists=false" >> $GITHUB_OUTPUT
84
+ fi
85
+
76
86
  - name: Publish to npm
77
- run: npm publish --if-present
87
+ if: steps.version-check.outputs.exists == 'false'
88
+ run: npm publish
78
89
  env:
79
90
  NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
@@ -1 +1 @@
1
- {"version":3,"file":"safeguard-manager.d.ts","sourceRoot":"","sources":["../../src/core/safeguard-manager.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAc,MAAM,oBAAoB,CAAC;AAElE,qBAAa,gBAAgB;IAC3B,OAAO,CAAC,KAAK,CAA+B;IAC5C,OAAO,CAAC,UAAU,CAAwC;IAC1D,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,cAAc,CAAQ;IAC9C,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,sBAAsB,CAAkB;IAChE,OAAO,CAAC,kBAAkB,CAAyB;IACnD,OAAO,CAAC,WAAW,CAAa;;IAQzB,mBAAmB,CAAC,WAAW,EAAE,MAAM,EAAE,eAAe,GAAE,OAAe,GAAG,gBAAgB,GAAG,IAAI;IA4BnG,uBAAuB,IAAI,MAAM,EAAE;IAgBnC,gBAAgB,IAAI,MAAM,CAAC,MAAM,EAAE,gBAAgB,CAAC;IAIpD,mBAAmB,CAAC,WAAW,EAAE,MAAM,GAAG,IAAI;IAerD,OAAO,CAAC,yBAAyB;IAajC,OAAO,CAAC,uBAAuB;IAS/B,OAAO,CAAC,2BAA2B;IAmCnC;;OAEG;IACI,aAAa,IAAI;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,WAAW,EAAE,MAAM,CAAA;KAAE;IAO7D;;OAEG;IACI,UAAU,IAAI,IAAI;IAKzB,OAAO,CAAC,yBAAyB;IAajC,OAAO,CAAC,yBAAyB;IA2BjC,OAAO,CAAC,oBAAoB;CAsghB7B"}
1
+ {"version":3,"file":"safeguard-manager.d.ts","sourceRoot":"","sources":["../../src/core/safeguard-manager.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAc,MAAM,oBAAoB,CAAC;AAElE,qBAAa,gBAAgB;IAC3B,OAAO,CAAC,KAAK,CAA+B;IAC5C,OAAO,CAAC,UAAU,CAAwC;IAC1D,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,cAAc,CAAQ;IAC9C,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,sBAAsB,CAAkB;IAChE,OAAO,CAAC,kBAAkB,CAAyB;IACnD,OAAO,CAAC,WAAW,CAAa;;IAQzB,mBAAmB,CAAC,WAAW,EAAE,MAAM,EAAE,eAAe,GAAE,OAAe,GAAG,gBAAgB,GAAG,IAAI;IA4BnG,uBAAuB,IAAI,MAAM,EAAE;IAgBnC,gBAAgB,IAAI,MAAM,CAAC,MAAM,EAAE,gBAAgB,CAAC;IAIpD,mBAAmB,CAAC,WAAW,EAAE,MAAM,GAAG,IAAI;IAerD,OAAO,CAAC,yBAAyB;IAajC,OAAO,CAAC,uBAAuB;IAS/B,OAAO,CAAC,2BAA2B;IAmCnC;;OAEG;IACI,aAAa,IAAI;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,WAAW,EAAE,MAAM,CAAA;KAAE;IAO7D;;OAEG;IACI,UAAU,IAAI,IAAI;IAKzB,OAAO,CAAC,yBAAyB;IAajC,OAAO,CAAC,yBAAyB;IA2BjC,OAAO,CAAC,oBAAoB;CAq+gB7B"}
@@ -519,23 +519,19 @@ export class SafeguardManager {
519
519
  "2.1": {
520
520
  id: "2.1",
521
521
  title: "Establish and Maintain a Software Inventory",
522
- description: "Establish and maintain a detailed inventory of all licensed software installed on enterprise assets",
522
+ description: "Establish and maintain a detailed inventory of all licensed software installed on enterprise assets. The software inventory must document the title, publisher, initial install/use date, and business purpose for each entry; where appropriate, include the Uniform Resource Locator (URL), app store(s), version(s), deployment mechanism, decommission date, and number of licenses. Review and update the software inventory bi-annually, or more frequently.",
523
523
  implementationGroup: "IG1",
524
- assetType: ["applications"],
524
+ assetType: ["Software"],
525
525
  securityFunction: ["Identify"],
526
526
  governanceElements: [
527
- "Establish and maintain a detailed inventory of all licensed software installed on enterprise assets",
528
- "The software inventory must document the title, publisher, initial install/use date, and business purpose for each entry; where appropriate, include the Uniform Resource Locator (URL), app store(s), version(s), deployment mechanism, and decommission date",
529
- "Review and update the software inventory bi-annually, or more frequently"
527
+ "Establish a Software Inventory",
528
+ "The software inventory must document the sub-taxonomical elements, where appropriate",
529
+ "Review and update the software inventory bi-annually, or more frequently - AKA Maintain"
530
530
  ],
531
531
  coreRequirements: [
532
- "Detailed inventory of all licensed software",
533
- "Installed on enterprise Assets"
532
+ "Detailed inventory of all licensed software"
534
533
  ],
535
534
  subTaxonomicalElements: [
536
- "Establish",
537
- "Maintain",
538
- "Must Document",
539
535
  "Title",
540
536
  "Publisher",
541
537
  "Initial Install / Use Date",
@@ -544,10 +540,7 @@ export class SafeguardManager {
544
540
  "App Store(s)",
545
541
  "App Version(s)",
546
542
  "Deployment mechanism",
547
- "Decomm. Date",
548
- "Where appropriate",
549
- "bi-annually",
550
- "More Frequently"
543
+ "Decomm. Date"
551
544
  ],
552
545
  implementationSuggestions: [ // Gray - Implementation suggestions
553
546
  ],
@@ -603,7 +596,7 @@ export class SafeguardManager {
603
596
  title: "Ensure That Only Currently Supported Software Is Designated as Authorized",
604
597
  description: "Ensure that only currently supported software is designated as authorized in the software inventory",
605
598
  implementationGroup: "IG1",
606
- assetType: ["applications"],
599
+ assetType: ["Software"],
607
600
  securityFunction: ["Identify"],
608
601
  governanceElements: [
609
602
  "Ensure that only currently supported software is designated as authorized in the software inventory for enterprise assets. If software is unsupported, yet necessary for the fulfillment of the enterprise's mission, document an exception detailing mitigating controls and residual risk acceptance. For any unsupported software without an exception documentation, designate as unauthorized. Review the software list to verify software support at least monthly, or more frequently."
@@ -613,15 +606,10 @@ export class SafeguardManager {
613
606
  "Authorized in the software inventory"
614
607
  ],
615
608
  subTaxonomicalElements: [
616
- "Ensure",
617
609
  "Determine if Authorized Software Is Currently Supported",
618
- "If Unsupported",
619
610
  "Determine Necessity for Business",
620
- "Document Exception detailing mitigating controls",
621
- "Document Residual risk acceptance",
622
- "Review the software list",
623
- "Monthly",
624
- "More frequently"
611
+ "Document Exception detailing mitigating controls IF Unsupported",
612
+ "Document Residual risk acceptance IF Unsupported"
625
613
  ],
626
614
  implementationSuggestions: [ // Gray - Implementation suggestions
627
615
  ],
@@ -677,7 +665,7 @@ export class SafeguardManager {
677
665
  title: "Address Unauthorized Software",
678
666
  description: "Ensure that unauthorized software is either removed from use on enterprise assets or receives a documented exception. Review monthly, or more frequently.",
679
667
  implementationGroup: "IG1",
680
- assetType: ["applications"],
668
+ assetType: ["Software"],
681
669
  securityFunction: ["Respond"],
682
670
  governanceElements: [
683
671
  "Ensure",
@@ -689,9 +677,7 @@ export class SafeguardManager {
689
677
  subTaxonomicalElements: [
690
678
  "Address Unauthorized Software",
691
679
  "Remove from use",
692
- "Document Exception",
693
- "Monthly",
694
- "More Frequently"
680
+ "Document Exception"
695
681
  ],
696
682
  implementationSuggestions: [ // Gray - Implementation suggestions
697
683
  ],
@@ -747,21 +733,19 @@ export class SafeguardManager {
747
733
  title: "Utilize Automated Software Inventory Tools",
748
734
  description: "Utilize software inventory tools, when possible, throughout the enterprise to automate the discovery and documentation of installed software.",
749
735
  implementationGroup: "IG2",
750
- assetType: ["applications"],
736
+ assetType: ["Software"],
751
737
  securityFunction: ["Detect"],
752
738
  governanceElements: [
753
739
  "Utilize",
754
740
  "when possible"
755
741
  ],
756
742
  coreRequirements: [
757
- "software inventory tools",
758
- "automate the discovery and documentation of installed software"
743
+ "software inventory tools"
759
744
  ],
760
745
  subTaxonomicalElements: [
761
746
  "Automate Discovery",
762
747
  "Automate Documentation",
763
- "Installed Software",
764
- "When possible"
748
+ "Installed Software"
765
749
  ],
766
750
  implementationSuggestions: [ // Gray - Implementation suggestions
767
751
  ],
@@ -817,7 +801,7 @@ export class SafeguardManager {
817
801
  title: "Allowlist Authorized Software",
818
802
  description: "Use technical controls, such as application allowlisting, to ensure that only authorized software can execute or be accessed. Reassess bi-annually, or more frequently.",
819
803
  implementationGroup: "IG2",
820
- assetType: ["applications"],
804
+ assetType: ["Software"],
821
805
  securityFunction: ["Protect"],
822
806
  governanceElements: [
823
807
  "Use",
@@ -829,13 +813,9 @@ export class SafeguardManager {
829
813
  "only authorized software can execute or be accessed"
830
814
  ],
831
815
  subTaxonomicalElements: [
832
- "Allowlist Authorized Software",
833
816
  "Technical Controls",
834
- "Execute",
835
- "Accessed",
836
- "Reassess",
837
- "Bi-Annually",
838
- "More Frequently"
817
+ "Allow software to Execute",
818
+ "Allow software to be Accessed"
839
819
  ],
840
820
  implementationSuggestions: [
841
821
  "Application Allowlisting"
@@ -892,27 +872,20 @@ export class SafeguardManager {
892
872
  title: "Allowlist Authorized Libraries",
893
873
  description: "Use technical controls to ensure that only authorized software libraries, such as specific .dll, .ocx, .so. files are allowed to load into a system process. Block unauthorized libraries from loading into a system process. Reassess bi-annually, or more frequently.",
894
874
  implementationGroup: "IG2",
895
- assetType: ["applications"],
875
+ assetType: ["Software"],
896
876
  securityFunction: ["Protect"],
897
877
  governanceElements: [
898
878
  "Use",
899
879
  "Ensure",
900
- "Block unauthorized libraries from loading into a system process",
901
880
  "Reassess bi-annually, or more frequently"
902
881
  ],
903
882
  coreRequirements: [
904
- "technical controls",
905
883
  "only authorized software libraries",
906
884
  "are allowed to load into a system process"
907
885
  ],
908
886
  subTaxonomicalElements: [
909
- "Only authorized software libraries",
910
- "Are allowed to load into a system process",
911
887
  "Technical Controls",
912
- "Block unauthorized libraries from loading into a system process",
913
- "Reassess",
914
- "Bi-Annually",
915
- "More Frequently"
888
+ "Block unauthorized libraries from loading into a system process"
916
889
  ],
917
890
  implementationSuggestions: [
918
891
  "Specific .dll files",
@@ -971,25 +944,19 @@ export class SafeguardManager {
971
944
  title: "Allowlist Authorized Scripts",
972
945
  description: "Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, files are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or more frequently.",
973
946
  implementationGroup: "IG3",
974
- assetType: ["applications"],
947
+ assetType: ["Software"],
975
948
  securityFunction: ["Protect"],
976
949
  governanceElements: [
977
950
  "Use",
978
951
  "Ensure",
979
- "Block unauthorized scripts from executing",
980
952
  "Reassess bi-annually, or more frequently"
981
953
  ],
982
954
  coreRequirements: [
983
- "technical controls",
984
955
  "only authorized files are allowed to execute"
985
956
  ],
986
957
  subTaxonomicalElements: [
987
- "Only authorized files are allowed to execute",
988
958
  "Technical Controls",
989
959
  "Block unauthorized scripts from executing",
990
- "Reassess",
991
- "Bi-Annually",
992
- "More Frequently"
993
960
  ],
994
961
  implementationSuggestions: [
995
962
  "Digital signatures",
@@ -1214,7 +1181,7 @@ export class SafeguardManager {
1214
1181
  "ACLS - \"aka\" Access Permissions",
1215
1182
  "Local",
1216
1183
  "Remote File Systems",
1217
- "Applications",
1184
+ "Software",
1218
1185
  "Databases"
1219
1186
  ],
1220
1187
  implementationSuggestions: [ // Gray - Implementation suggestions
@@ -1773,7 +1740,7 @@ export class SafeguardManager {
1773
1740
  subTaxonomicalElements: [
1774
1741
  "Encrypt Sensitive Data At Rest",
1775
1742
  "Servers",
1776
- "Applications",
1743
+ "Software",
1777
1744
  "Databases",
1778
1745
  "Storage Layer (server side) encryption",
1779
1746
  "Minimum Requirement"
@@ -2044,7 +2011,7 @@ export class SafeguardManager {
2044
2011
  title: "Establish and Maintain a Secure Configuration Process",
2045
2012
  description: "Establish and maintain a documented secure configuration process for enterprise assets (end-user devices, including portable and mobile; non-computing/IoT devices; and servers) and software (operating systems and applications). Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.",
2046
2013
  implementationGroup: "IG1",
2047
- assetType: ["end-user devices", "network devices", "IoT devices", "servers", "applications"],
2014
+ assetType: ["end-user devices", "network devices", "IoT devices", "servers", "Software"],
2048
2015
  securityFunction: ["Govern"],
2049
2016
  governanceElements: [
2050
2017
  "Establish",
@@ -2067,7 +2034,7 @@ export class SafeguardManager {
2067
2034
  "Non-computing/IoT devices",
2068
2035
  "Servers",
2069
2036
  "OS",
2070
- "Applications"
2037
+ "Software"
2071
2038
  ],
2072
2039
  implementationSuggestions: [
2073
2040
  "Secure Configuration Policy / Process",
@@ -2416,7 +2383,7 @@ export class SafeguardManager {
2416
2383
  title: "Securely Manage Enterprise Assets and Software",
2417
2384
  description: "Securely manage enterprise assets and software. Example implementations include managing configuration through version-controlled- Infrastructure-as-Code (IaC) and accessing administrative interfaces over secure network protocols, such as Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insecure management protocols, such as Telnet (Teletype Network) and HTTP, unless operationally essential.",
2418
2385
  implementationGroup: "IG1",
2419
- assetType: ["devices", "applications"],
2386
+ assetType: ["devices", "Software"],
2420
2387
  securityFunction: ["Protect"],
2421
2388
  governanceElements: [
2422
2389
  "Do not use insecure management protocols",
@@ -2489,7 +2456,7 @@ export class SafeguardManager {
2489
2456
  title: "Manage Default Accounts on Enterprise Assets and Software",
2490
2457
  description: "Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.",
2491
2458
  implementationGroup: "IG1",
2492
- assetType: ["devices", "applications", "users"],
2459
+ assetType: ["devices", "Software", "users"],
2493
2460
  securityFunction: ["Protect"],
2494
2461
  governanceElements: [
2495
2462
  "Manage"
@@ -2562,7 +2529,7 @@ export class SafeguardManager {
2562
2529
  title: "Uninstall or Disable Unnecessary Services on Enterprise Assets and Software",
2563
2530
  description: "Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service, web application module, or service function.",
2564
2531
  implementationGroup: "IG2",
2565
- assetType: ["devices", "applications"],
2532
+ assetType: ["devices", "Software"],
2566
2533
  securityFunction: ["Protect"],
2567
2534
  governanceElements: [
2568
2535
  "Uninstall",
@@ -4075,7 +4042,7 @@ export class SafeguardManager {
4075
4042
  title: "Establish and Maintain a Remediation Process",
4076
4043
  description: "Establish and maintain a remediation process and SLA for security vulnerabilities",
4077
4044
  implementationGroup: "IG1",
4078
- assetType: ["applications"],
4045
+ assetType: ["Software"],
4079
4046
  securityFunction: ["Respond"],
4080
4047
  governanceElements: [
4081
4048
  "establish remediation process",
@@ -4239,7 +4206,7 @@ export class SafeguardManager {
4239
4206
  title: "Perform Automated Application Patch Management",
4240
4207
  description: "Perform automated application patch management on enterprise assets",
4241
4208
  implementationGroup: "IG1",
4242
- assetType: ["applications"],
4209
+ assetType: ["Software"],
4243
4210
  securityFunction: ["Protect"],
4244
4211
  governanceElements: [
4245
4212
  "perform automated application patching",
@@ -4321,7 +4288,7 @@ export class SafeguardManager {
4321
4288
  title: "Perform Automated Vulnerability Scans of Internal Enterprise Assets",
4322
4289
  description: "Perform automated vulnerability scans of internal enterprise assets on a quarterly or more frequent basis",
4323
4290
  implementationGroup: "IG2",
4324
- assetType: ["devices", "applications"],
4291
+ assetType: ["devices", "Software"],
4325
4292
  securityFunction: ["Detect"],
4326
4293
  governanceElements: [
4327
4294
  "perform automated vulnerability scans",
@@ -4403,7 +4370,7 @@ export class SafeguardManager {
4403
4370
  title: "Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets",
4404
4371
  description: "Perform automated vulnerability scans of externally-exposed enterprise assets using either an internal or external vulnerability scanning service",
4405
4372
  implementationGroup: "IG2",
4406
- assetType: ["devices", "applications"],
4373
+ assetType: ["devices", "Software"],
4407
4374
  securityFunction: ["Detect"],
4408
4375
  governanceElements: [
4409
4376
  "perform automated vulnerability scans",
@@ -4485,7 +4452,7 @@ export class SafeguardManager {
4485
4452
  title: "Remediate Detected Vulnerabilities",
4486
4453
  description: "Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis",
4487
4454
  implementationGroup: "IG2",
4488
- assetType: ["applications"],
4455
+ assetType: ["Software"],
4489
4456
  securityFunction: ["Respond"],
4490
4457
  governanceElements: [
4491
4458
  "remediate detected vulnerabilities",
@@ -5421,7 +5388,7 @@ export class SafeguardManager {
5421
5388
  title: "Ensure Use of Only Fully Supported Browsers and Email Clients",
5422
5389
  description: "Ensure only fully supported browsers and email clients are allowed to execute in the enterprise, only using the latest version of browsers and email clients provided through the vendor",
5423
5390
  implementationGroup: "IG1",
5424
- assetType: ["applications"],
5391
+ assetType: ["Software"],
5425
5392
  securityFunction: ["Protect"],
5426
5393
  governanceElements: [
5427
5394
  "ensure only fully supported browsers and email clients are allowed to execute",
@@ -5658,7 +5625,7 @@ export class SafeguardManager {
5658
5625
  title: "Restrict Unnecessary or Unauthorized Browser and Email Client Extensions",
5659
5626
  description: "Restrict, either through uninstalling or disabling, any unauthorized or unnecessary browser or email client plugins, extensions, and add-on applications",
5660
5627
  implementationGroup: "IG2",
5661
- assetType: ["applications"],
5628
+ assetType: ["Software"],
5662
5629
  securityFunction: ["Protect"],
5663
5630
  governanceElements: [
5664
5631
  "restrict unauthorized or unnecessary browser or email client plugins, extensions, and add-on applications",
@@ -8252,7 +8219,7 @@ export class SafeguardManager {
8252
8219
  title: "Perform Application Layer Filtering",
8253
8220
  description: "Perform application layer filtering to protect against the enterprise's most common network-based attacks",
8254
8221
  implementationGroup: "IG3",
8255
- assetType: ["network", "applications"],
8222
+ assetType: ["network", "Software"],
8256
8223
  securityFunction: ["Protect"],
8257
8224
  governanceElements: [
8258
8225
  "perform application layer filtering",
@@ -9680,7 +9647,7 @@ export class SafeguardManager {
9680
9647
  title: "Establish and Maintain a Secure Application Development Process",
9681
9648
  description: "Establish and maintain a secure application development process. In the process, address such items as: secure application design standards, secure coding practices, developer training, vulnerability management, security of third-party code, and application security testing procedures. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard",
9682
9649
  implementationGroup: "IG2",
9683
- assetType: ["applications"],
9650
+ assetType: ["Software"],
9684
9651
  securityFunction: ["Govern"],
9685
9652
  governanceElements: [
9686
9653
  "establish and maintain a secure application development process",
@@ -9763,7 +9730,7 @@ export class SafeguardManager {
9763
9730
  title: "Establish and Maintain a Process to Accept and Address Software Vulnerabilities",
9764
9731
  description: "Establish and maintain a process to accept and address reports of software vulnerabilities, including providing a means for external entities to report. The process is to include such items as: a vulnerability handling policy that identifies reporting process, responsible party for handling vulnerability reports, and a process for intake, assignment, remediation, and remediation testing. As part of the process, use a vulnerability tracking system that includes severity ratings, and metrics for measuring timing for identification, analysis, and remediation of vulnerabilities. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. Third-party application developers need to consider this an externally-facing policy that helps to set expectations for outside stakeholders",
9765
9732
  implementationGroup: "IG2",
9766
- assetType: ["applications"],
9733
+ assetType: ["Software"],
9767
9734
  securityFunction: ["Govern"],
9768
9735
  governanceElements: [
9769
9736
  "establish and maintain a process to accept and address reports of software vulnerabilities",
@@ -9850,7 +9817,7 @@ export class SafeguardManager {
9850
9817
  title: "Perform Root Cause Analysis on Security Vulnerabilities",
9851
9818
  description: "Perform root cause analysis on security vulnerabilities. When reviewing vulnerabilities, root cause analysis is the task of evaluating underlying issues that create vulnerabilities in code, and allows development teams to move beyond just fixing individual vulnerabilities as they arise",
9852
9819
  implementationGroup: "IG2",
9853
- assetType: ["applications"],
9820
+ assetType: ["Software"],
9854
9821
  securityFunction: ["Protect"],
9855
9822
  governanceElements: [
9856
9823
  "perform root cause analysis on security vulnerabilities"
@@ -9922,7 +9889,7 @@ export class SafeguardManager {
9922
9889
  title: "Establish and Manage an Inventory of Third-Party Software Components",
9923
9890
  description: "Establish and manage an updated inventory of third-party components used in development, often referred to as a \"bill of materials,\" as well as components slated for future use. This inventory is to include any risks that each third-party component could pose. Evaluate the list at least monthly to identify any changes or updates to these components, and validate that the component is still supported",
9924
9891
  implementationGroup: "IG2",
9925
- assetType: ["applications"],
9892
+ assetType: ["Software"],
9926
9893
  securityFunction: ["Identify"],
9927
9894
  governanceElements: [
9928
9895
  "establish and manage an updated inventory of third-party components used in development",
@@ -10002,7 +9969,7 @@ export class SafeguardManager {
10002
9969
  title: "Use Up-to-Date and Trusted Third-Party Software Components",
10003
9970
  description: "Use up-to-date and trusted third-party software components. When possible, choose established and proven frameworks and libraries that provide adequate security. Acquire these components from trusted sources or evaluate the software for vulnerabilities before use",
10004
9971
  implementationGroup: "IG2",
10005
- assetType: ["applications"],
9972
+ assetType: ["Software"],
10006
9973
  securityFunction: ["Protect"],
10007
9974
  governanceElements: [
10008
9975
  "use up-to-date and trusted third-party software components"
@@ -10079,7 +10046,7 @@ export class SafeguardManager {
10079
10046
  title: "Establish and Maintain a Severity Rating System and Process for Application Vulnerabilities",
10080
10047
  description: "Establish and maintain a severity rating system and process for application vulnerabilities that facilitates prioritizing the order in which discovered vulnerabilities are fixed. This process includes setting a minimum level of security acceptability for releasing code or applications. Severity ratings bring a systematic way of triaging vulnerabilities that improves risk management and helps ensure the most severe bugs are fixed first. Review and update the system and process annually",
10081
10048
  implementationGroup: "IG2",
10082
- assetType: ["applications"],
10049
+ assetType: ["Software"],
10083
10050
  securityFunction: ["Govern"],
10084
10051
  governanceElements: [
10085
10052
  "establish and maintain a severity rating system and process for application vulnerabilities",
@@ -10157,7 +10124,7 @@ export class SafeguardManager {
10157
10124
  title: "Use Standard Hardening Configuration Templates for Application Infrastructure",
10158
10125
  description: "Use standard, industry-recommended hardening configuration templates for application infrastructure components. This includes underlying servers, databases, and web servers, and applies to cloud containers, Platform as a Service (PaaS) components, and SaaS components. Do not allow in-house developed software to weaken configuration hardening",
10159
10126
  implementationGroup: "IG2",
10160
- assetType: ["applications"],
10127
+ assetType: ["Software"],
10161
10128
  securityFunction: ["Protect"],
10162
10129
  governanceElements: [
10163
10130
  "use standard, industry-recommended hardening configuration templates for application infrastructure components",
@@ -10390,7 +10357,7 @@ export class SafeguardManager {
10390
10357
  title: "Apply Secure Design Principles in Application Architectures",
10391
10358
  description: "Apply secure design principles in application architectures. Secure design principles include the concept of least privilege and enforcing mediation to validate every operation that the user makes, promoting the concept of \"never trust user input.\" Examples include ensuring that explicit error checking is performed and documented for all input, including for size, data type, and acceptable ranges or formats. Secure design also means minimizing the application infrastructure attack surface, such as turning off unprotected ports and services, removing unnecessary programs and files, and renaming or removing default accounts",
10392
10359
  implementationGroup: "IG2",
10393
- assetType: ["applications"],
10360
+ assetType: ["Software"],
10394
10361
  securityFunction: ["Protect"],
10395
10362
  governanceElements: [
10396
10363
  "apply secure design principles in application architectures"
@@ -10472,7 +10439,7 @@ export class SafeguardManager {
10472
10439
  title: "Leverage Vetted Modules or Services for Application Security Components",
10473
10440
  description: "Leverage vetted modules or services for application security components, such as identity management, encryption, and auditing and logging. Using platform features in critical security functions will reduce developers' workload and minimize the likelihood of design or implementation errors. Modern operating systems provide effective mechanisms for identification, authentication, and authorization and make those mechanisms available to applications. Use only standardized, currently accepted, and extensively reviewed encryption algorithms. Operating systems also provide mechanisms to create and maintain secure audit logs",
10474
10441
  implementationGroup: "IG2",
10475
- assetType: ["applications"],
10442
+ assetType: ["Software"],
10476
10443
  securityFunction: ["Identify"],
10477
10444
  governanceElements: [
10478
10445
  "leverage vetted modules or services for application security components",
@@ -10554,7 +10521,7 @@ export class SafeguardManager {
10554
10521
  title: "Implement Code-Level Security Checks",
10555
10522
  description: "Apply static and dynamic analysis tools within the application life cycle to verify that secure coding practices are being followed",
10556
10523
  implementationGroup: "IG3",
10557
- assetType: ["applications"],
10524
+ assetType: ["Software"],
10558
10525
  securityFunction: ["Protect"],
10559
10526
  governanceElements: [
10560
10527
  "apply static and dynamic analysis tools within the application life cycle to verify that secure coding practices are being followed"
@@ -10628,7 +10595,7 @@ export class SafeguardManager {
10628
10595
  title: "Conduct Application Penetration Testing",
10629
10596
  description: "Conduct application penetration testing. For critical applications, authenticated penetration testing is better suited to finding business logic vulnerabilities than code scanning and automated security testing. Penetration testing relies on the skill of the tester to manually manipulate an application as an authenticated and unauthenticated user",
10630
10597
  implementationGroup: "IG3",
10631
- assetType: ["applications"],
10598
+ assetType: ["Software"],
10632
10599
  securityFunction: ["Detect"],
10633
10600
  governanceElements: [
10634
10601
  "conduct application penetration testing"
@@ -10705,7 +10672,7 @@ export class SafeguardManager {
10705
10672
  title: "Conduct Threat Modeling",
10706
10673
  description: "Conduct threat modeling. Threat modeling is the process of identifying and addressing application security design flaws within a design, before code is created. It is conducted through specially trained individuals who evaluate the application design and gauge security risks for each entry point and access level. The goal is to map out the application, architecture, and infrastructure in a structured way to understand its weaknesses",
10707
10674
  implementationGroup: "IG3",
10708
- assetType: ["applications"],
10675
+ assetType: ["Software"],
10709
10676
  securityFunction: ["Protect"],
10710
10677
  governanceElements: [
10711
10678
  "conduct threat modeling"