Third-Party Software is a Security Threat (Part 1)

If you would like to read the next part in this article series please go to Third-Party Software is a Security Threat (Part 2).

In the past the operating system vendors were targeted as the weakest security link. As these software giants have evolved due to market pressures they have tied down most of the loose ends and have been meticulously implementing scheduled patch release cycles and their security levels have improved and thus overall security posture has increased.

Third-party software developers do not have the budget or the resources to implement such thorough and detailed quality development and patch release cycles to properly protect the enterprise. The exposure is thus greater when using third-party software in most cases on enterprise platforms.

In these two articles we will explore the areas that enterprise need to focus on as a security conscious company to ensure that these loose ends are pinned down to improve our overall security posture.

Introduction

Securing third-party software, whether it’s off the shelf commercial software, outsourced or open source, is challenging the security posture of any business. Working with the world’s leading patch management vendors, my team discovered several years ago that companies like Apple, Microsoft, Ubuntu etc. have polished their patch management process to the point where now over 80% of the threats around patching arise from third-party software.

Organisations increasingly rely on third-party software/applications when computing in the cloud and utilising mobile computing in order to fully benefit from these forms of computing in business (flexibility and quick to market).

Organisations are finding it challenging to ensure that the software they are using is secure and not introducing security risks or vulnerabilities and causing decline to their security posture. Most software used within organisations today is from a third-party source but most organisations do not have the means to evaluate the security of this software.

The reliability of third-party software transfers the security of the software into the hands of multiple developers (often a third-party may be outsourcing to another third-party), organisations often assume that the necessary due diligence and security checks have been undertaken. Unfortunately, with so many involved, often this is not the case. The software may not be developed or tested by the same quality and security standards used within your organisation.

A lot of the time organisations conform to secure development cycles, but with hundreds of third-party libraries being used in a single application, huge amounts of code are likely to not be getting the same level of security checking required.

Organisation should have sufficient knowledge of where or how the piece of software will be put to use to help understand the risk of threat when using the software. A clear understanding of the software security development lifecycle is key to understanding and managing risk because if you are aware of the process you have the knowledge to ask the right questions and ensure the important security steps and practices are covered.

Possible security risks and concerns from third-party software utilisation:

• Security testing and quality of testing may not meet your organisations standards or compliance
• Third-party software may contain security related weaknesses or flaws enabling internet attacks and security vulnerabilities compromising business data and assets
• The code libraries utilised may not be actively maintained
• Multiple code libraries are used
• Multiple third-party suppliers are utilised increasing the area for compromise
• Software performance and functionality may be hindered
• Patching is usually not carried out quickly enough once a vulnerability is realised
• Reasons for slow patching may include;
• Time needed for testing and validation
• Lack of management tools
• Having inadequate resources
• Concerns over service levels
• Patch inadequacies

Handling the challenges of using third-party software

OS’s have stepped up and have become more resistant to attack leaving third-party software as the culprit of majority of security compromises. Recent findings indicate that vulnerabilities in third-party software account for majority of occurrences of malware on Windows endpoints.

Organisations are ultimately responsible for ensuring controls are in place to mitigate the security risk and to manage the liability of using third-party software. Once the software or code is part of the organisations system the organisation becomes responsible for the security, quality and safety of the software.

Software vulnerabilities are directly linked to business risk. A flaw in the software can impact customer satisfaction, brand or business image, revenue, time to market and competition for market leadership.

The relationship between software security and business risk is placing emphasis on the importance of securing third-party software and ensuring it is developed with quality, safety and security in mind.

The following steps can be taken to mitigate the security risk and determine the integrity of the software:

• Weigh up the business risk with the advantages of using the third-party software option. Ask yourself the right questions to achieve your business risk tolerance levels compared to your business requirements.

  View the software in terms of your business because the software security risk is directly related to you achieving your business requirements.

  Some questions which may point you in the right direction may include (the answers to the questions will be unique to each business/organisation and will assist in achieving an informed decision of software usage under varying circumstances):

• Is it possible to test the third-party code for security flaws in a test environment before going live?
• Once live can the third-party component be tested?
• Will the third-party software/plugins be accessible publicly?
• Do you know of any listed vulnerabilities with the third-party software or code?
• If you are compromised because of a third-party flaw, what is the worst outcome for your business?

Through great consideration you’ve decided to use the third-party software, further steps that can be taken:

• Implement security measures that will assist in assuring that the third-party software meets your industry security standards and compliance requirements. Treat assessment of third-party software with the same meticulousness you would in-house software.
• Put policies in place that the third-party software management must conform to when developing to ensure your security and compliance requirements are effectively met. Third-party software suppliers should use mature development practices and provide a track record that quality, safety and security requirements are met.
• Ensure the highest quality code is being used.
• Ensure appropriate testing is undertaken at development so that defects can be resolved early on in the development cycle.
• Demand visibility and insight into the quality and security of the third-party code.
• Security testing of the software is essential (unit testing, assessments, pen testing code, scanning the software both automatically and manual testing is recommended, compliance audits).
• It’s essential that third-party software/applications are managed and patched regularly. As with operating system patching should be prioritised and be made a routine practice. Automated application patching tools can make this less cumbersome.
• Although patch management of third-party applications and software has become more challenging within the mobile computing environment, it’s essential that organisations rise to the challenge as the risk to data security and compliance is great.
• Antivirus, web filtering software, application firewalls and whitelisting combinations can help to achieve a defence-in-depth approach.
• By combining patch management, antivirus, web filtering, application firewalls and whitelisting hence device, application, patch management and antivirus controls a proactive solution can be reached rather than a reactive one helping to mitigate the third-party software security risks more effectively.
• Having control over the third-party software/applications is a proactive means of managing security. Through taking back control and choosing the third-party software suitable to your business risk level you are able to mitigate the security risk. Whitelisting is a way to assist in doing this.
• Do not allow unauthorised third-party software/application, not only are they likely to be laden with vulnerabilities they will also be more challenging to patch. Unauthorised third-party software may also have an effect on the business compliance.

Conclusion

In this mobile environment where pressure for rapid development is high, organisations are now heavily reliant on third-party code and software usually from multiple sources and suppliers.

BYOD and the mobile computing environment of businesses leaves many with little confidence of what is running on their desktops, and many don’t know at all what third-party applications are present making it increasingly difficult to put security policies in place and manage them effectively.

In the next article we will look at the arguments of why it’s important to be aware of more of the threats of using third-party software. We will also cover the top six things that we can do to mitigate against the weakness of third-party software.

If you would like to read the next part in this article series please go to Third-Party Software is a Security Threat (Part 2).