Skip to main content
June 13, 2014

Cloud or Not - Third-Party Software Adds Unnecessary Risk

Don't be misled regarding the security implications of cloud-based software.

Don't be misled regarding the security implications of cloud-based software.


There’s been some discussion regarding the Cloud Could Triple Odds of $20M Data Breach research findings by Ponemon – so I thought I would weigh in on this issue. Risky software, regardless of deployment method, is what is adding unnecessary risk to organizations. This is especially true with third-party applications – again, whether these acquired applications are on-premises or cloud solutions.

As enterprises are getting better at defending traditional network perimeters, attackers are now targeting the software supply chain. It’s why the FS-ISAC Working Group on Third-Party Software Security which produced the paper, Appropriate Software Security Control Types for Third Party Service and Product Providers recommends (among other controls) that enterprises require their software vendors to attest to the security of their products using binary static analysis. Enterprises are right to be wary of third-party cloud applications. However, this should have nothing to do with whether they are in the cloud or not. Instead it is because they are produced by third-parties, and thus enterprises have less insight into the security that went into the development.

If an enterprise wants to reduce unnecessary risk at their company, avoiding the cloud isn’t going to protect them – but taking a hard look at their software procurement policies and processes will. What enterprises should be saying is: "I will never put my data in an infrastructure that is not secure. I will require 3rd party attestation.” That goes for cloud apps, the apps they buy, and their own infrastructure. As a software security provider (which happens to be cloud-based), we recognize the importance of third-party attestation. As a result we’ve been sure to include security in our own agile development processes and why we offer advice to companies creating strategies for Building Security into the Agile SDLC. This is why we took steps to achieve our own third-party security certification to show our infrastructure and processes are meeting industry standards for service providers.

We recommend customers of all SaaS solutions ask their providers if they have a 3rd party certification before purchasing. Concerns about cloud security are legitimate, but only insofar as they pertain to overall product security. It is time we as an industry stop using deployment method as the yardstick to measure a solution's security. Instead we should look at the development processes and other risk factors before adding a third-party solution to our infrastructure.

Chris Wysopal, co-founder and CTO of Veracode, is recognized as an expert and a well-known speaker in the information security field. He has given keynotes at computer security events and has testified on Capitol Hill on the subjects of government computer security and how vulnerabilities are discovered in software. His opinions on Internet security are highly sought after and most major print and media outlets have featured stories on Mr. Wysopal and his work. At Veracode, Mr. Wysopal is responsible for the security analysis capabilities of Veracode technology.

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.