Mitigating Risks with Vendor-Supplied Software
We recently hosted a webinar featuring Chenxi Wang of Forrester Research Inc and Chad Holmes of Veracode that discussed how enterprises can better understand and reduce security risks associated with using vendor-supplied software. This blog post will highlight the key takeaways of the webinar.
The webinar begins with Chenxi detailing the proliferation of third-party software use by enterprises today. Nearly all businesses can now be viewed as “extended enterprises,” that is, enterprises that employ multitudes of software and applications across different devices and different user populations. On top of that, there is a huge variety of third-party software that businesses use, including:
- Commercial “shrink wrapped” enterprise applications
- Outsourced applications
- Software-as-a-Service applications
- Third-party libraries and code components
- Third-party services
- Mobile applications
Unfortunately, this widespread growth and adoption of third-party apps for enterprises comes with an increase in security risks facing enterprises. There are a few questions that AppSec teams should be asking themselves when it comes to third-party application security:
- Does the vendor employ secure development practices?
- Are you confident that the code contains no critical vulnerabilities or back doors?
- How does the software protect sensitive data?
- Does the code use effective access control?
The good news is that enterprises are beginning to recognize and address these risks. Chenxi provides data from a 2011 Forrester survey to show that 48% of enterprises ranked implementing security requirements with business partners/third parties as critical or high priority (11% responded “critical,” 37% responded “high”). However, while many enterprises emphasized the importance of establishing security requirements for third parties, far fewer enterprises are actively implementing third-party security measures. According to 2012 surveys from PWC, only 23.6% of enterprises require that third parties comply with specific security policies while only 26% conduct compliance audits of third parties.
Chenxi concludes her presentation with recommendations for mitigating third-party risks:
- It is the enterprise’s responsibility to do its due diligence before signing a contract with a third party. This requires the enterprise to closely examine the third party’s development practices and software supply chain to make sure that measures are being taken to eliminate unnecessary risks. Additionally, the enterprise and third party should agree on software security acceptance conditions before entering a contract.
- Enterprises should assess and request remediation for any security problems before accepting code from a third party.
- Enterprises need to have incident response procedures in place for apps in production. These procedures should cover everything from reporting problems to installing patches to fix them.
Following Chenxi’s presentation, Chad weighs in with insight from third party analysis conducted by Veracode. He begins by stressing that every enterprise has unique security needs. Enterprises should take a few steps to ensure that they understand and can address their own security needs. This begins with accepting that every enterprise (purchaser or vendor) is responsible for deploying secure software. Additionally, enterprises and vendors need to know the stakeholders in this process. For enterprises, it is important to know who is actually producing the software they are purchasing. For vendors, it is important to know whom software is being produced for and the needs of these consumers.
Chad concludes the webinar with a few recommendations of his own. He offers two guiding principles for mitigating risk with third-party software. First off, enterprises have all the leverage in the enterprise/vendor relationship. Second, basic project management is critical to success when sourcing secure software from third parties. These two principles lay the foundation for Chad’s five best practices for enterprises and vendors engaged in the application analysis and remediation process:
- Policy definition: Outline which vulnerabilities need to be fixed and provide timelines for scanning and remediation.
- B2B communication: Enterprises and vendors rely on strong communication for effective analysis and risk mitigation.
- Vendor education/commitment: Educate vendors so that they are comfortable and willing to work with the enterprise to improve security.
- Communication and Execution: Open communication between all parties involved allows for speedy and effective remediation.
- Results communication and IP protection: Provide the necessary information in application analysis results while protecting intellectual property of the application vendor.
Watch the full webinar here for Veracode third party data, case studies, presentation slides, and more.