diff --git a/2021/docs/en/2025/A03_2025-Software_Supply_Chain_Failures.md b/2021/docs/en/2025/A03_2025-Software_Supply_Chain_Failures.md index 54065cdc6..4c4c20b9d 100644 --- a/2021/docs/en/2025/A03_2025-Software_Supply_Chain_Failures.md +++ b/2021/docs/en/2025/A03_2025-Software_Supply_Chain_Failures.md @@ -85,7 +85,7 @@ There should be a patch management process in place to: * Track not just your own dependencies, but their (transitive) dependencies, and so on. * Remove unused dependencies, unnecessary features, components, files, and documentation. Attack surface reduction. * Continuously inventory the versions of both client-side and server-side components (e.g., frameworks, libraries) and their dependencies using tools like versions, OWASP Dependency Check, retire.js, etc. -* Continuously monitor sources like Common Vulnerability and Exposures (CVE) and National Vulnerability Database (NVD) for vulnerabilities in the components you use. Use software composition analysis, software supply chain, or security-focused SBOM tools to automate the process. Subscribe to email alerts for security vulnerabilities related to components you use. +* Continuously monitor sources like Common Vulnerability and Exposures (CVE) and National Vulnerability Database (NVD) for vulnerabilities in the components you use. Use software composition analysis, software supply chain, or security-focused SBOM tools to automate the process. Subscribe to email alerts for security vulnerabilities related to components you use. Use tools like OWASP Dependency Check, OWASP Dependency Track, retire.js etc. * Only obtain components from official (trusted) sources over secure links. Prefer signed packages to reduce the chance of including a modified, malicious component (see [A08:2025-Software and Data Integrity Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/)). * Deliberately choosing which version of a dependency you use and upgrading only when there is need. * Monitor for libraries and components that are unmaintained or do not create security patches for older versions. If patching is not possible, consider deploying a virtual patch to monitor, detect, or protect against the discovered issue.