CHNG-06

Does your change management process verify that all required third-party libraries and dependencies are still supported with each major change?

Explanation

This question is asking whether your organization's change management process includes a specific verification step to ensure that all third-party libraries and dependencies used in your software or systems are still actively supported and maintained when you implement major changes. In software development and IT operations, applications and systems often rely on numerous third-party components (libraries, frameworks, packages, etc.). When these components are no longer supported by their creators/maintainers (reaching end-of-life), they stop receiving security patches and bug fixes, creating significant security vulnerabilities. The security assessment is asking this question because unsupported dependencies represent a major security risk. When a vulnerability is discovered in an unsupported library, there will be no official patch available, leaving your systems exposed. This creates a potential entry point for attackers. To best answer this question, you should describe: 1. The formal process you have for checking dependency support status during change management 2. The tools you use to track and verify dependency support status 3. How frequently these checks occur 4. What actions are taken when unsupported dependencies are identified 5. How this process is documented and enforced

Example Responses

Example Response 1

Yes, our change management process includes mandatory verification of third-party library and dependency support status Before any major change is approved, our DevSecOps team runs an automated dependency scanning tool (Snyk and OWASP Dependency-Check) that flags any libraries that have reached end-of-life or will reach it within the next 6 months Our change management system requires this scan report to be attached to the change request, and any unsupported dependencies must be remediated before the change can be approved This process is documented in our Change Management Policy (CMP-103) and enforced through our automated CI/CD pipeline, which blocks deployments if unsupported dependencies are detected.

Example Response 2

Yes, our organization has implemented a comprehensive third-party library management process as part of our change management procedures For each major change, our development teams must complete a Third-Party Dependency Review form that requires verification of support status for all dependencies We maintain a centralized Software Bill of Materials (SBOM) database that tracks all third-party components across our applications, including their support timelines During pre-deployment reviews, our security team cross-references this database to identify any components approaching end-of-life If unsupported libraries are identified, the change must include plans to upgrade or replace these components, or receive a time-limited exception with compensating controls approved by the CISO.

Example Response 3

No, we currently do not have a formal process to verify that all required third-party libraries and dependencies are still supported during major changes While our developers generally try to use current versions of libraries, we don't have an automated or documented process to systematically check support status during the change management process We recognize this as a gap in our security practices and are currently developing a more robust approach In the interim, we perform quarterly manual audits of our most critical applications to identify obviously outdated components, but this is not integrated into our change management workflow We plan to implement an automated dependency checking tool within the next quarter to address this vulnerability.

Context

Tab: Organization
Category: Change Management