Corporate cybersecurity risk is drawing federal attention: According to the Wall Street Journal, the US Securities and Exchange Commission now mandates that companies report "cybersecurity risks that could affect the business or its registrants materially" on their 10-K statements. The SEC wants businesses to err on the side of full disclosure, but for many organizations, even identifying potential breach points is no easy task — malicious actors and disgruntled former employees alike pose serious risks.
But it doesn't stop there: Third-party vendor software solutions have also emerged as large-scale threats, as a new Veracode whitepaper, entitled "Third-Party Application Security Risk: The Elephant in the Room Is Finally Getting Talked About," notes. And while CISOs are now bringing this risk to the boardroom, four barriers stand in the way of effective asset oversight and improved cybersecurity disclosure:
It only makes sense to hammer out a security contract with any third-party vendor before giving its software network-level access. But CISOs struggle with how much detail is required. Should contracts cover every possible use case and outcome, or only address high-level security concepts?
Both methods come with possible backlash: it's too specific, and contracts are so unwieldy that vendors may not be willing to sign on. Too general, and third parties may claim that security events didn't breach the contract since they fulfilled the terms of their obligations while ignoring the spirit. Length is also an issue: Some vendors want 10- or 15-year commitments, with high costs for adding extra security requirements during the term.
This is the refrain often heard by CISOs when they ask third-party vendors to improve security. Larger vendors may point to their existing stable of clients and argue no changes are necessary; companies can take what's available or go elsewhere. Small vendors, meanwhile, say they can't afford the kind of testing demanded by forward-thinking CISOs, or they may attempt to charge a fee for improved security.
C-suite members may also be sold the line that other companies aren't so difficult and don't encounter the same kind of issues. Dealing with this kind of vendor pressure means building a community of awareness and developing intercompany standards about what kind of security and penetration testing is acceptable and what simply isn't enough.
For third-party vendors to generate revenue, their products must be the first or second to market — any later, and they risk picking up the scraps of other software firms. This rush to market, however, often leaves security on the design room floor; the third-party vendor mind-set typically focuses on getting clients first and building in risk mitigation after cash starts to flow.
As noted by Tripwire, however, companies have to hold the line when it comes to off-site software. If there's no evidence that vendors will actively maintain their software and offer regular security updates, then they're not worth the investment.
It's also worth noting that many third-party applications are built on legacy open-source code or developed by hobbyist coders for friends or relatives. Consider an industry such as healthcare, which is constantly struggling to find more effective ways to streamline the doctor-patient process through ease of data access.
Physicians will often turn to friends or family members with some technical knowledge to create a one-off app, which is used by the practice to fulfill specific needs. Other doctors in the practice recommend the app to colleagues, and eventually word of mouth prompts a corporate buyout. The application is then repackaged and sold to large healthcare enterprises as a stand-alone, fully supported piece of software — but was in fact coded in a suburban garage in a matter of weeks. Bottom line? CISOs can never assume the origins of third-party apps; everything requires independent testing.
Word is out: Third-party vendor code poses serious cybersecurity risk. And while CISOs are bringing the discussion to the boardroom, challenges remain. From complicated contacts to stubborn vendors, security overlooked for speed and code of unknown origin, there's a long road ahead when it comes to effective cybersecurity oversight.
Want to dig deeper for more effective strategies to manage third-party vendor risk? Download Veracode's whitepaper in its entirety.
Photo Source: Flickr