How to Identify Vulnerable Third-Party Software

Victor Gamra
Author: Victor Gamra, CISSP, CISM, PCIP
Date Published: 28 January 2021

Editor’s note: The following is a sponsored blog post from FortifyData.

The year 2020 will be reflected in history as a year of many surprises. In hindsight, one trend that, though not a surprise, rattled unexpecting companies, was the explosive occurrence of cybersecurity breaches via third-party software. These trends serve as a stark reminder of the critical role that third parties play in the failure or success of cybersecurity efforts.

No matter the source, once a breach happens, loss of credibility and business are amongst the worse fallouts. A Ponemon Institute study found 31% of consumers discontinue using the services of a company impacted by a data breach. The average cost of a data breach is considerable. According to an IBM report, in 2020 it was US$3.86 million.

The rise of third-party software risks

There is no shortage of headlines when it comes to third-party breaches. In early 2020, GE’s human resources document management system provided by Canon Business Process Services was breached. It exposed over 200,000 personal and health benefits records of GE’s current and former employees. The massive data breach affecting Instagram, YouTube and TikTok, exposing nearly 235 million user accounts, was traced to Deep Social, a now-defunct social media data broker.

Aerospace and automakers – Tesla, SpaceX, Boeing, and Lockheed – lost valuable intellectual property (IP) through a breach induced by Visser, a third-party parts company. The travel industry also was affected. Expedia, Hotels.com, and some other travel sites experienced a significant data breach via third-party Prestige Software, which stored over 10 million records from its online booking clients in an exposed AWS S3 bucket.

While third-party software is becoming a common commodity in most organizations, currently there’s a lack of a formal vetting process to assess the security posture of the software and mitigate the risks they pose to a company’s core operations on an ongoing basis.

Data breaches of such severity underscore the importance of identifying and assessing third-party software vulnerability in your overall third-party risk management (TPRM).

Best practices for identifying and managing third-party software vulnerabilities

Security research found 22% of the participating companies did not monitor their supply chain to ensure security, and 32% failed to re-assess their vendors regularly or while onboarding new vendors.

In addition to challenges in testing and certifying third-party software, insufficient logging and monitoring are other hurdles. Software as a Service (SaaS) often lacks measures to detect data breaches. Discovery time for a breach is roughly 200 days on average, which gives attackers ample time before a response to the security incident kicks in.

To counteract these challenges, identify vulnerabilities through:

  • NextGen Cybersecurity Ratings: Monitoring at a point in time isn't enough to cover the ongoing chain of security events. Next generation TPRM tools that leverage security ratings to analyze risk and continuously monitor events can provide visibility and facilitate early detection of threats.
    • Active and Passive Scanning: Regular scans to identify, prioritize and evaluate software vulnerabilities, and mapping them to releases, make your infrastructure resilient against third-party software and components. These scans must include web application vulnerability identification on third–party web applications and SaaS. Such scans will leverage a standard like OWASP top 10, which is a regularly updated list of critical security risks to software that includes:
      • Injection attacks
      • Broken authentication
      • Sensitive data exposure
      • Security misconfiguration
      • Cross-site scripting
      • Insecure deserialization
      • Using components with known vulnerabilities, etc.
    • Automated Risk Assessments: Cyber risk assessment and scoring of third-party software through the use of framework-based integrated questionnaires that can help you identify and auto-validate control deficiencies and gaps is also critical to improving your overall risk posture.

    Leveraging next generation third-party risk management solutions
    Identifying and mitigating third-party software vulnerabilities can seem like a daunting task. However, leveraging a next-generation cybersecurity risk management platform for third-party risk management, like FortifyData, will simplify how you secure your organization against threats from third-party software.

    Here’s what to expect from a next-gen TPRM solution for software vulnerability mitigation:

    • Automated assessments of third-party software and cyber risk scoring
    • Automated validation of third-party compliance adherence
    • Continuous monitoring and event-based alerts for early threat detection
    • Comprehensive risk reports and easy collaboration for timely remediation

    Today, securing an organization involves much more than your employees and internal infrastructure. Today, third-party software and vendors are an integral part of your core operational workflows and are often a weak link in your security framework.

    Prioritizing and investing in next-gen TPRM tools automates, simplifies and hardens your enterprise security posture and threat resilience.