Traditional network perimeters have hardened over the past decade due to a greater understanding of the importance of security at the developer level and the natural evolution of security tools. However, modern business practices have led to an explosion of outsourced and third-party code being used within any given enterprise, and hackers are shifting their targets toward these applications. For enterprises looking to avoid problems with software supply chain security and prevent potentially disastrous situations, the first step is a firm understanding of the basics.
The Difficulty with Software Supply Chain Security
In a modern enterprise, outsourced and open source code is practically unavoidable. The application demands are simply more than most IT departments can handle, and outsourcing some of the development can be seen as cost-effective by executives concerned with operational functionality above all else.
The problem is that some of these savings come from the outsourced vendor's lax attitude regarding application security. As discussed in Forbes, issues related to outsourcing can range from simple coding mistakes to outright malfeasance. If code is passed through into production straight from the developer, these problems won't be caught until they cause major security incidents. As most vendors know, rectifying such situations can be difficult — and if basic security isn't in the initial contract, these vendors can use later requests for remedial security as a way to extract additional value, essentially getting bonus payments for not doing their job right in the first place. Some businesses may even continue to ignore problems, not wishing to increase future contract costs to fix older, operational software.
The problems with third-party security aren't limited to code outsourced to other countries. Even code obtained from reputable companies or from reputable open source projects can be riddled with security issues. Basically, if the code's creator doesn't have an obligation to create secure software, expect that code to at least have some security-related flaws.
Basic Steps in the Right Direction
In today's marketplace, avoiding third-party software is a non-starter. Enterprises have to gain an understanding of AppSec basics when it comes to outsourced code in order to avoid the pitfalls that are harming so many businesses.
Those basics begin with ensuring that security is covered in any contract with a third-party vendor. This not only includes setting security benchmarks that must be met, but also mandatory developer training on security practices and rules for remediation. While not a panacea, this will at least give CISOs some legal standing to ensure remediation efforts are taken seriously.
Enterprises then need to have security scan processes in place to ensure that all applications and code received from other sources meet the security standards outlined in any contract. A scalable solution, such as one based in the cloud, will help ensure the same security standards are applied across the board — a safer alternative to letting each development team create an ad-hoc scan that could potentially miss certain vulnerabilities.
Businesses also have to be prepared to scan third-party libraries and applications without access to the source code. Failing to scan these applications can undermine all other security procedures, as hackers will inevitably find the weaknesses that this untested code represents. There are scanning solutions available that can operate without source code, using binaries to discover an application's workflow and then testing that application in a controlled environment.
Ensuring that the development and information-security teams have a grasp on these basics will provide a strong framework that keeps enterprises as secure as possible. However, building all this from the ground up may be more than many enterprises want to take on, especially given the fact that there are thousands of applications in development at any given time.
CISOs may instead want to consider an existing third-party security solution from an established security vendor, as these solutions are designed to seamlessly integrate with just about any enterprise development system. Plus, these solutions remain current with the ever-changing threat landscape, ensuring that applications are solidified against emerging threats as well as established ones.
Given that third-party software will only become more prevalent in the coming years, enterprise CISOs have to be well-versed on the basics of software supply chain security for there to even be a chance of avoiding a costly security incident. Whichever method they choose to combat this problem, taking just a few basic steps will go a long way in ensuring that their contracted code is as secure as possible — forcing hackers to look elsewhere for an easy target.
Photo Source: Flickr