A group of leading banks, insurance, and mortgage companies including Aetna, Goldman Sachs, JP Morgan Chase, Citi, (among others) recently crafted recommended controls for addressing third party software security in the paper, “Appropriate Software Security Control Types for Third Party Service and Product Providers.” This paper acknowledges that conventional third party controls are no longer sufficient to cover the ever-expanding attack surface presented by web, mobile, and desktop applications developed by third party software suppliers. Further, this group offers three controls for addressing the risk posed by this third party software.
Specifically, the guidance recommends the use of Binary Static Analysis in order to understand the vulnerability density of every version of every product supplied by a third party vendor. Binary static analysis is specifically called for because it “provides a method for determining security vulnerabilities without the need to access to source code, a significant benefit for vendors.”
We at Veracode completely endorse this control and are proponents of Binary Static Analysis because it looks at the code in its “final” compiled version, which enables evaluation of vulnerabilities introduced by linked libraries, APIs, compiler optimizations and third party components which source code testing cannot identify. This approach results in the most accurate and complete security testing available in the industry. As the working group acknowledged in the section on this control, Veracode is uniquely positioned to deliver binary static analysis of software suppliers for an enterprise due to our patented automated static binary analysis offering and our Vendor Application Security Testing (VAST) program, which “manages the process of collecting binary static analysis artifacts, while working with software vendors to embed software security in the development process.” With VAST, Veracode combines our application security expertise, leadership in binary static analysis, proven compliance processes, and cloud-based testing technology to address the needs of the enterprise looking to understand the security posture of software sourced from a third party. VAST delivers improved software risk management to an enterprise customers by:
- Reducing the overall risk posture of the entire software portfolio by securing vendor-supplied software.
- Outsourcing the critical task of vendor application security program management to trusted experts at Veracode, saving internal resources.
- Shifting the responsibility and cost burden onto the third party software vendors over time while also increasing the amount of software in scope for this program.
The analysis process is completely automated via the Veracode cloud-based testing platform. Regardless of core technology, origin, or deployment method, the platform analyzes vendor software whether installed or cloud-based, commercial or outsourced.