Third-party also known as supply chain, vendor supplied or outsourced software is any program or application that is not written exclusively by employees belonging to the company for which that software was created.
An increasing amount of applications are created out of house or are compiled using off the shelf or open sourced code. Companies use a multitude of non-internally developed applications such as those for email management, VPN connections and information/lead management.
A survey in the Study of Software Related Cybersecurity Risk in Public Companies reported that of 100 US and UK firms, nearly 80% of respondents use commercial software. However, less than one in five public companies has performed a formal verification on a third-party application.
Even internally developed applications rely heavily on third-party code. CA Veracode’s State of Software Security report indicated that between 30 and 70% of applications that are thought of as internally developed are actually comprised of third-party libraries and components.
While you may go to great lengths to ensure the security of your own code, you cannot assume that your third-party software has been properly secured. Third-party software often leaves large vulnerabilities that can be exploited by hackers or malicious programs.
According to CA Veracode research 90% of third-party code does not comply with enterprise security standards such as the OWASP Top 10. Third-party application security is essential for today’s IT security compliance.
CA Veracode’s Vendor Application Security Testing (VAST) helps vendors better understand the security risks posed by their third-party software and remediate those risks. VAST is the only solution that delivers a completely managed program for successful vendor assessment and vendor security risk management. Read more about VAST here.