It's nearly impossible for modern enterprises to avoid third-party software and outsourced code. But as hackers and thieves continue to focus on the software layer, it's becoming increasingly important for every enterprise to develop a process for addressing their outsourced or third-party software, which must include a third-party compliance policy. Without one, enterprises leave themselves open to all kinds of security issues.
Here's how you can develop a robust policy that mitigates the risks of outsourcing:
A World of Third-Party Risk
There was a time when it was perfectly reasonable for a large enterprise to manage and develop all its software internally, so network security teams and CISOs could focus solely on in-house development. In those days, CISOs were most worried about vulnerabilities in their operating systems and emerging Internet portals, as these represented the true security perimeters of their systems.
Now, however, with the explosion of enterprise software development, a new world of security issues has emerged. Today's research and development managers are looking to third-party solutions to fill out their offerings; even if most development is handled in-house, it's almost impossible to completely avoid using third-party snippets or open-source solutions. Additionally, as business technology expands, many enterprise systems are being integrated with third-party solutions that are developed separately but still have access to important company information.
Third-party software (and the hardening of traditional network perimeters) has attracted hackers' attention as well. These thieves know that one small vulnerability in a widely used piece of third-party code can pay huge dividends. They often focus on third-party portals into enterprises, knowing that many aren't secured against common attacks — those in the OWASP Top 10, for example — and can provide access to large amounts of company and customer information.
How a Third-Party Compliance Policy Can Help
The shift toward outsourced development happened suddenly, catching many people (including CISOs) off guard. As a result, good CISOs ended up with robust InfoSec policies that simply don't apply to their most vulnerable software.
To combat this issue, CISOs need to develop robust third-party policies that secure all code that interfaces with their networks. A true compliance policy will ensure that third-party software is resilient against the common vulnerabilities as defined by industry experts, making it likely that hackers will simply move on to easier prey — leaving enterprises vulnerable only to targeted, long-term attacks.
The problem? Developing a true third-party security policy is much more complicated than just porting your existing policy to vendors. It's one thing to demand tightened security from a vendor, and another thing entirely to ensure those requests are being honored.
Developing a Robust Policy
A third-party software compliance policy begins with a detailed self-assessment questionnaire that all vendors should answer. While this questionnaire can't be fully trusted, it will serve as a good introduction for vendors as to how serious you are about security; the Shared Assessments SIG or AUP provide a standardized version of this questionnaire that the majority of vendors are used to completing.
After that, CISOs should audit their enterprise development programs to determine just how many third-party vendors they are working with. As enterprises have expanded, it's not uncommon for individual development teams to expand to third-party solutions or open-source code without involving their security teams in the process. Many CISOs are surprised at how much outsourced code their businesses actually use.
Once vendors understand and agree with an enterprise's security approach and CISOs know how much third-party code they are dealing with, the next step is to bring in assistance. After all, third-party software vendors have to be continuously checked to ensure they are meeting the requirements set forth in their assessments. For this, find an independent application security testing provider that has the experience necessary to build a workflow in which all aspects of the network architecture, including remote third-party installations, are secure. The best security vendors can provide multiple types of deep code scanning, ensuring that code is free from common vulnerabilities even if business rules prevent the enterprise from working directly with source code. If a solution is presented in a scalable, cloud-based platform, it can easily be expanded to encompass all incoming code and applications, ensuring maximum security with minimal effort from the enterprise.
Third-party software is quickly becoming a major headache for many CISOs, but it doesn't have to be one for you. By prioritizing the development of a third-party compliance policy, you can avoid the embarrassing and costly issues commonly associated with insecure outsourced code.
