How to Mitigate Security Risks from Third-Party Providers
Vendor application security testing is a key practice to help companies ensure that third-party software meets their security standards.
By Nazar Tymoshyk, SoftServe
In today’s market, most organizations don’t possess all the skills and expertise needed to complete every project in-house. Companies of all sizes turn to third-party providers for a variety of essential business needs, from invoice generation and submission to video hosting or payment processing.
This doesn’t mean that putting a larger part of your project into someone else's hands excludes security risks. As the case with Target showed, it doesn’t. Target's HVAC air conditioning system was hacked to compromise millions of customers’ credit card data.
Leading organizations such as OWASP, the PCI Council, FS-ISAC and NIST are raising awareness about the burning need to better understand and reduce security risks associated with the use of third-party software. Why? Because when you install applications or software components from a third party, you also take ownership of all the vulnerabilities in their software.
As a recent survey showed, enterprise security pros are making third-party compliance with their security requirements a top IT security priority. But with 65 percent of a typical enterprise portfolio coming from third parties, there’s a lot of risk to take on, especially when an even more disturbing 82 percent of applications fail to comply with enterprise security standards on their first pass.
Here are some practices to help you deal with third-party software security like a pro:
Independent Audit Services
An independent software audit service provides you with a cost effective way for a third-party security attestation based on an in-depth analysis of your application and overview of vulnerabilities.
Vendor Application Security Testing (VAST)
Covering everything from commercial in-stock, on-demand, third-party libraries, outsourced or open source types, VAST ensures that all externally developed software complies with your security policies. In practice, VAST holds a grip over all the security-related processes, along with contacting vendors and cooperating with them to promptly identify and withdraw security threats.
Following Veracode suggestions, here is a three-step guide to effectively apply VAST:
Define. VAST is there to help you frame a third-party compliance policy and acceptance criteria, based on best practices and customized to your organization’s security policies, as retrieved from your corporate business needs and risks. Your VAST provider is in charge of providing a detailed plan that clearly states the creation of non-compliance retribution and escalation procedures for third parties.
Needless to say, a VAST provider should always be there for you to help compile lists of vendors and applications for the program. Also, a VAST provider should create standard templates for communicating with your selected outsourcing party about the requirement planned to be assessed by an independent organization. As a rule, it is signed by a senior executive in vendor management or procurement, or IT security.
Test. While a third party is responsible for scanning binaries with special code scanning tools, a VAST provider’s part lies in conducting a comprehensive analysis of the application, searching for vulnerabilities depending on the predefined organization’s security policy. Collected results are submitted to the stakeholders in the form of an extensive summary report.
Comply. Then, depending on the outcomes of the analysis and how complicated the case is, a software provider mitigates detected vulnerabilities with the help of security experts. Again, the application gets tested and re-tested by the VAST provider in this way until it satisfies your organization’s security policy. Some enterprises allow software suppliers to submit their own attestations based on their internal testing results. These attestations are also collected and submitted to stakeholders.
Takeaway: Trust but Verify
It’s often said, trust but verify. Just like you should test your own company, you need to make sure that a third party you rely on to accomplish your goals is as secure as you need it to be.
An eSecurity Planet article from March offers more good advice on mitigating security risks associated with third-party vendors.
Nazar Tymoshyk is a highly-regarded IT security and network infrastructure expert working for SoftServe, Inc a global leader in software and application development. He specializes in many security disciplines including computer forensics, malware analysis, intrusion detection, and mobile application security assessments. Nazar holds a Ph.D. in Information Security from the State University, Lviv Polytechnics, is the chapter leader of the OWASP in Lviv, Ukraine, and a regular contributor to the SoftServe United blog.