How do companies approach third-party application security? With more and more services and products relying on third parties to facilitate software development, that's an important question. Third-party code can have a significant impact on cybersecurity, introducing risks at the same time as it speeds up business processes. And if firms fail to take those risks seriously, the effects can be devastating to their bottom lines and to their reputations.
A recent CA Veracode and 451 Research report, entitled "Third-Party Application Security Risk: The Elephant in the Room Is Finally Getting Talked About," illustrates how awareness of the importance of app security is growing — particularly where third-party software is concerned. Here are a few of the report's takeaways.
In their report, 451 Research and CA Veracode spoke with security executives to gain more insight into how they are dealing with security offered by third-party applications.
Many executives are aware that security breaches often occur when vulnerabilities in third-party systems are exploited, because their companies often don't assess these systems with the same level of rigor as those directly handling confidential data. Security flaws in software provided by third parties could potentially open the door to cyberattacks, allowing hackers to breach architecture and access sensitive data.
For enterprises with an effective and consolidated security posture, third-party app security is a top priority. These firms strive for adequate cybersecurity policies that manage third-party app security and adopt the necessary measures to mitigate any risk. According to the report, businesses with mature, long-standing security programs rank third-party application security as a high priority — especially when they have had hundreds or thousands of partners and providers.
The report also highlights a connection between perceived risk and data classification — for better or worse. It states, "The perceived risk of application security corresponded with data-classification levels: software handling personally identifiable information, health information and payment information ranked the highest, as did any software associated with safety issues . . . Although some executives acknowledged that breaches often happen through systems with lower classification, they . . . did not always rate them on the same risk level as those directly handling confidential data. This indicates a possible blind spot in risk analysis that enterprises should be addressing."
In the report's evaluation of third-party app security, another element emerged from the audit: Despite the fact that there is general awareness of the risks related to open-source software, in a number of cases, companies didn't have the resources to test for them.
"In other words, open source may look like a great deal to an organization because it's 'free,' but without the in-house expertise to assess it, it's no different from blindly accepting other third-party software," the report states.
Because software is a system that evolves over time, organizations should constantly reassess the effectiveness of their security programs accordingly. Continually revisiting their approaches to the security of applications developed by third parties allows organizations to improve the overall security of their solutions.
One of the key findings of the report surrounds a very important issue for many firms: compliance. Unfortunately, compliance to guidelines and standards specifically for supply-chain security is not always ensured. The security executives in the report state, "We need more specific standards and controls to guide our approach: In the case of software security, there are very few standards organizations will not accept because most of them don't mandate controls that are specific enough to apply to applications anyway."
The security executives in the report note that their organizations usually ensure compliance with specific standards and controls (i.e., ISO 27001, NIST 800-53), underestimating the security risks associated with third-party applications. Only one interviewee reports that his or her organization is compliant to the ISO 27034 standard.
There's no "silver bullet" approach to managing third-party application security risks; instead, firms should equip themselves with an array of tools, resources and processes to come up with a custom, effective way to manage third-party application security.
For some firms, application security solutions come in the form of an internal test team comprising AppSec experts and access to software's source code, among other things. Another strategy for an effective assessment of third-party code could involve independent experts who are able to verify the compliance with principal security standards. And when an organization is not able to test or audit third-party software, it has to fall back on certifications by verifying that third-party software is compliant with independent standards.
Above all, organizations must make third-party application security their highest priority. Remember: Strong app security protects more than just your data. It protects your budget, your growth and, most importantly, your reputation.
Want to learn more? Download CA Veracode and 451 Research's report.
Photo Source: Flickr