Third-party software is the new perimeter for enterprises. Attackers are now targeting the IT supply chain because traditional network perimeters have been hardened over time and are further protected by next-generation firewalls and other controls.
Driven by the need to accelerate time-to-market, most applications are now “assembled” in a Lego-like fashion from third-party components such as outsourced code, libraries and open source, rather than developed from scratch.
Mitigating the risks
90% of third-party code does not comply with enterprise security standards such as the OWASP Top 10.*
As a result of the large and growing footprint of third-party software in the enterprise, regulatory bodies such as the OCC and industry organizations such as FS-ISAC, OWASP and the PCI Security Standards Council are now placing increased focus on controls required to mitigate the risks introduced by third-party software.
For example, the OWASP Top 10 now includes a requirement that prohibits vulnerable components from being used. OWASP points out that “Components, such as libraries, frameworks, and other software modules, almost always run with full privileges. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover.”
Clearly, relying solely on vendor surveys and self-attestations is no longer sufficient to address these risks. Enterprises are looking for independent verification of the security of third-party software.
* State of Software Security Report, Enterprise Testing of Software Supply Chain (Supplement)