Researchers have discovered another bug in a WordPress plugin. A vulnerability in the MainWP Child plugin allows attackers to take full control of a website. This is an easy to exploit vulnerability and is estimated to impact upwards of 90,000 websites. If you are using WordPress, check to see if you are using the MainWP Child plugin and upgrade to version 22.214.171.124 to mitigate the vulnerability.
This is just the latest example of the supply chain introducing risk into enterprises. During the recent Superfish kerfuffle, CNET noted that an insecure supply chain is the “biggest problem in software”. And just like Lenovo, WordPress is taking the brunt of the bad publicity for the vulnerability, not the creator of the plug in. Because enterprises do not have control over the development process or security of third-party applications and plugins, securing the supply chain is notoriously difficult and exposing them to unnecessary risk.
So what can you do to protect your enterprise? Here are six tips for embedding security into your procurement processes so that you can reduce the risk introduced by your supply chain.
Define criticality of your purchased applications: not all applications are equal and a vulnerability in a calculator app is not as important as a vulnerability in your authentication system.
Define a third party application security policy
Establish verification procedures and criteria for delivered products and services
Define when, how, and with whom the software supplier or the enterprise will communicate in the event of an incident.
Define acceptable standards for software maintenance. Understand the mechanisms for updating firmware and software elements:
Require a “bill of materials” aka the defined external components within the purchased software.
For more tips and information on creating a successful third-party security program read the guide: