Application development teams are being pressured to do more with less, and are increasingly turning to open-source components and external software vendors to get their jobs done quickly. Vendor risk assessments have grown increasingly important as a result. However, the available budgets for these assessments are not growing in kind. Each CISO must understand where application security risks are coming from and find a way to conduct a risk assessment that ensures all third-party code is secure — while staying within budgetary confines.
The Looming Vendor Risk-Management Crisis
As the world of application development shifts from an in-house model to one wherein third-party and open-source components are regularly used, many enterprises have been slow to update their programs surrounding risk assessment. The end result is a host of applications that may have been coded with care, but still have glaring security issues.
In fact, of the 700 compromises researched for the 2014 Trustwave Global Security Report, 85 percent involved some kind of third-party code; in addition, 96 percent of applications harbored at least one serious security vulnerability. Further, aerospace and defense leader Boeing found that over 90% of the third-party software it tested had significant, compromising flaws. Given that it takes an average of almost three months for breaches to be discovered and contained, the amount of damage or loss that these third-party incidents can cause a business simply can't be exaggerated.
As bad as it sounds now, expect the issue with third-party software to grow in the coming years. Hackers understand that these pieces of software are often integrated without security assessments, and that discovering a vulnerability in just one piece of third-party software can open up the systems of dozens or hundreds of businesses. The reality is that third-party software is becoming the new perimeter for enterprises.
Taking Vendor Security Seriously without Breaking the Budget
The problem that most CISOs face? As threats to their third-party software grow, their budgets for dealing with the issues remain the same. Hopefully the fallout from high-profile attacks will begin to change this; until then, however, enterprises have to learn how to maximize their security while simultaneously cutting costs. Here are four steps information security executives and managers can take to help alleviate this problem:
- Audit and prioritize. Application development at an enterprise can quickly become amorphous as teams and paradigms shift. CISOs have to audit entire development teams to learn exactly what they are working on, their expected release cycles, and what third-party code or outside vendors they are working with. Once this audit is complete, risk managers can properly prioritize vendor and code assessments to ensure that mission-critical apps are as secure as possible.
- Understand true risk. A proper vendor risk assessment is going to uncover no small number of issues — and with enough time and money, they should all be addressed. However, within budgetary constraints, one solution is to understand the difference between vulnerabilities that can cause serious harm and vulnerabilities that are likely to absorb IT's time and effort for little gain. Use rankings like the OWASP Top 10 and CWE/SANS Top 25 for vulnerability differentiation, and stay current on emerging threats so your organization can deal with growing issues before they make one of these lists.
- Rate your vendors. Vendors with a strong history of secure code and a demonstrated ability to go through remediation without significant involvement from the business may not need to be assessed as frequently as less-secure vendors. Reducing the number of assessments on these security-conscious vendors can save both time and money while introducing a minimal amount of risk. But remember that vendors' risk profiles can change over time, so it's important to readdress your vendor ratings at regular intervals; ideally every significant software update should require a security evaluation.
- Harness the experts. The best security-testing solutions will be able to test vendor apps without access to the source code — greatly speeding up the assessment process — and also provide guidance to vendors on how to address vulnerabilities efficiently. The final results of the assessment should be available to all parties, so everyone remains on the same page.
The security issues surrounding third-party software are only going to become more prevalent in the future. These steps can help enterprises maintain the highest level of security their budgets will allow.
Photo Source: Flickr