Application development teams are being pressured to do more with less, and are increasingly turning to open-source components and external software vendors to get their jobs done quickly. Vendor risk assessments have grown increasingly important as a result. However, the available budgets for these assessments are not growing in kind. Each CISO must understand where application security risks are coming from and find a way to conduct a risk assessment that ensures all third-party code is secure — while staying within budgetary confines.
The Looming Vendor Risk-Management Crisis
As the world of application development shifts from an in-house model to one wherein third-party and open-source components are regularly used, many enterprises have been slow to update their programs surrounding risk assessment. The end result is a host of applications that may have been coded with care, but still have glaring security issues.
In fact, of the 700 compromises researched for the 2014 Trustwave Global Security Report, 85 percent involved some kind of third-party code; in addition, 96 percent of applications harbored at least one serious security vulnerability. Further, aerospace and defense leader Boeing found that over 90% of the third-party software it tested had significant, compromising flaws. Given that it takes an average of almost three months for breaches to be discovered and contained, the amount of damage or loss that these third-party incidents can cause a business simply can't be exaggerated.
As bad as it sounds now, expect the issue with third-party software to grow in the coming years. Hackers understand that these pieces of software are often integrated without security assessments, and that discovering a vulnerability in just one piece of third-party software can open up the systems of dozens or hundreds of businesses. The reality is that third-party software is becoming the new perimeter for enterprises.
Taking Vendor Security Seriously without Breaking the Budget
The problem that most CISOs face? As threats to their third-party software grow, their budgets for dealing with the issues remain the same. Hopefully the fallout from high-profile attacks will begin to change this; until then, however, enterprises have to learn how to maximize their security while simultaneously cutting costs. Here are four steps information security executives and managers can take to help alleviate this problem:
The security issues surrounding third-party software are only going to become more prevalent in the future. These steps can help enterprises maintain the highest level of security their budgets will allow.
Photo Source: Flickr