1.1 All components are identified¶
Verify that all application components are identified and are known to be needed.
Levels: 1, 2, 3
The purpose of this requirement is twofold:
- Discover third party components that may contain (public) vulnerabilities.
- Discover ‘dead code / dependencies’ that increase attack surface without any benefit in functionality.
Developers may be tempted to keep dead code / dependencies around ‘in case I ever need it’, however this is not an argument for a shippable product, such dead code / dependencies is better left on a source control system.