If you would like to read the first part in this article series please go to Third-Party Software is a Security Threat (Pdart 1).
Open source software
As much as companies and individuals are pro open source software the latest heartbleed vulnerability is a stark reminder that vulnerability can exist even if the third part software is not part of your gold build, but part of your cloud platform. This third-party software’s security issue affected millions of machines.
Within days most of our customers were being scanned and about 25% of the customers were experiencing serious exploit attempts on their networks. All of this was due to a third-party piece of software that had not been properly architected and it affected thousands of software vendors that took shortcuts with open SSL adoption rather than adopting a more rigid and less vulnerable security platform.
As discussed in the first article in this series this security vulnerability is linked to libraries that have not been maintained and constantly reviewed for more modern security flaws, it is more likely that commercial software built by one of the giants will be reviewed on a more regular basis as more people use the software and also if a problem is found that is critical, the issue will be resolved swiftly because large organisations can be held liable by their paying customers.
Moreover if an issue is discovered to arise in a third-party piece of software, or discovered and not announced, it can go un-noticed for years and exploited by the bad guys until one day it’s bought to light. By that time it will probably be too late as the damage to your systems, data and reputation will have already been done.
Timing is everything
As we all know timing is everything and not being able to patch in time is playing a dangerous game of catch-up, most vulnerabilities are known by the bad guys for quite some time before they are exposed to the commercial world, but in most cases commercial software owned by the giants are more researched and the vulnerabilities addressed and announced more rapidly than third-party software.
It is common for third-party software to suffer from considerable patch lag when vulnerabilities are discovered, mostly due to the lack of resources and process when compared to the software giants.
Then there is the case of alerting the users or organisations that the software has been updated. This is often not simple as the software platforms in some cases do not have notification or auto update facilities so it could be quite some time before the update or discrete patch is applied that resolves the security flaw.
Third-party software deployment and associated security risk
Many people tend to incorrectly link the means of deployment of third-party software to the level of security risk. The truth of the matter is that no matter the deployment method used, third-party software can always have a security risk. The risk is no different if the software is deployed on premise or in the cloud.
Organisations should be vigilant and maybe even doubtful of the security of third-party software but the type of deployment does not make the software more or less of a security risk. The security risk is down to the third-party software and not the deployment method.
Third-party software should be secured at a high level as attackers are targeting the software. The software needs to be developed with security and quality in mind. Organisations must be mindful of their procurement of third-party software to alleviate unnecessary risk, third-party infrastructure and processes should be secure.
Top six things you can do for your organisation to reduce the threat of third-party software.
- Remove all software from clients and servers that you don’t require, additionally uninstall and disable all features of software and services that you don’t use and are not likely to use. Many vendors have detailed information and tools that help you do this but most organisations do not follow this path and are relatively exposed because of the lack of controls in this area.
- Ensure that if you are using third-party software that the vendor that you select has a proper and defined patch management release cycle that informs you the user and/or the organisation on a periodic basis of the updates and security vulnerabilities that are being discovered. If you search on issues or vulnerabilities linked to the third-party software and can’t find anything around issues, patches and updates the likelihood of you being notified when there is a significant security vulnerability is low.
- If you are using third-party software make sure you are aware of all the libraries and components that are being used to make up the software by the third-party vendors. You can do this by looking at the licencing or by contacting the vendor, if the vendor is not willing to supply the list you are better off avoiding the software as this will most probably end up exposing your organisations to a security issue in future. I often tell my customers that it’s like knowing what the ingredients are in food, and if you don’t know the ingredients, don’t eat the food…
- Employ the use of a good third-party patch management solution like the free PSI by Secunia, there are more commercial varieties but the PSI solution is free and gives you a taste of what you can expect. These tools should be connected to your SOC and kept an eye on so that frequently your third-party patches are identified, tested and applied as per your patch management cycle.
- In corporate environments do not allow the use of unauthorised software that is not inline or tested and used by the corporation. Supporting third-party software includes patching the software and keeping it maintained. To do this you need to know what the software is and if there is a patch available. If your users are installing all sorts of software and you have no way to track this behaviour, you could be exposed as surely they will not be patching the software. For this reason it’s important to restrict what third-party software can be installed on corporate assets.
- Block all ports and communication on the network between hosts that are not required and force internet bound connections to your Web Application Firewall or WAF. The WAF should be capable of inspecting the web traffic and only allowing valid corporate traffic and all other third-party communication will be blocked rendering the third-party software and the security issues ineffective. Additionally if you setup alerts to inform your security department you can identify and remove the offending software. This can easily be achieved with your SIEM+WAF solution.
"IT organizations need to take into account numerous security threats, preparing for which often requires using multiple third party solutions. However, using multiple security services and appliances typically leads to integration issues, complex upkeep and generally higher costs of ownership. As a result, the security market is now moving towards offering multi-function services.
More importantly, this approach also makes sense from a security stand-point. Cost of ownership aside, with so many security events relying on multiple attack vectors, it simply makes good sense for your web application firewall to be DDoS resilient." - Igal Zeifman from Incapsula
Organisations need to remain observant about potential hazards in the security of third-party software. Have a team that can remain abreast of the security issues and who are aware of the threats and vulnerabilities. Collaborate with the broader security industry to keep on top and proactively work together to increase the security posture all round.
Be responsible with your third-party software choice, be mindful of all compliance warnings. Today Data security is of paramount importance and any security breach will not be looked upon lightly. Any breach, albeit through a third-party software flaw, will still be the organisations responsibility.
The key message is limit the use of software that may cause your organisation a security issue and ensure that if third-party software is required that it is properly maintained and patched.
If you would like to read the first part in this article series please go to Third-Party Software is a Security Threat (Part 1).