Surviving Security Risks Existent in Third-Party Software

risk management

Apr 30, 2020

Apr 30, 2020

risk management

Third-Party Software Components

Third-Party Software is comprised of software libraries, modules and other components that are either purchased from a third-party vendor or made freely available. It includes open source software and commercial off-the-shelf components, which are components that are available for use straight away instead of building entirely from scratch, thereby reducing application development time.

A large number of companies today use third-party software to deliver solutions to their customers and to gain a competitive advantage in their industry by focusing more on product customization. Third-party software is also used by companies to speed up the application development process at a lower cost. While companies benefit from third-party software, they also introduce vulnerabilities into their code. Below are the risks associated with the use of the software.

Security Risks from the Use of Third-Party Software

Discovery of Exploit
In the event of a discovery of potential exploits in an open source project, hackers take advantage of companies that are slow to fix their applications dependent on open source projects, with recently discovered vulnerabilities.

Legal/Regulatory Risk
The use of multiple open source components in single proprietary applications makes it difficult to manage open source licenses as businesses develop and release software at a high rate. Non-compliance to any individual terms of different licenses could lead to legal action against the company.

Intellectual Property Risk
Intellectual property infringement risk may occur when proprietary code makes its way into open source projects due to a lack of standard commercial controls.

Business Risk
Open source components utilized by a company may show a lack of operational efficiency due to a failure by the company to track and update open source components as new versions become available. These updates are to be done timely as they often address high-security vulnerabilities. Companies should ensure proper inventory management to track projects that are not updated frequently.

Software Developer Malpractices
A manual transfer via email of open source components, or copying and pasting code from open source libraries makes a companies’ applications susceptible to potential future vulnerabilities.

Third-Party Software Risk Control

Necessary verification and due diligence should be carried out to control the risk inherent in the use of Third-Party Software.

Security Control
- Establish necessary security requirements and include them in acquisition and software contracts with third parties.
- Establish security-related principles for choosing commercial and open source software.
- Request evidence that shows software components of a commercial software provider are compliant with the company’s security requirements. The third-party vendor should be able to provide documentation with details of security technologies used, third-party security audits and vulnerability assessments completed.
- Software components should be transferred via a binary repository or a secure network.

Verification Control
- Carry out an appropriate verification of third-party software modules and services.
- Confirm there are no publicly known vulnerabilities in the software components yet to be fixed by the third-party vendor.
- Ensure the software module is maintained and determine a plan that shows if a software module is no longer supported.

Infringement Risk Control
- Carry out appropriate due diligence on open source projects to detect potential infringement risks.

Software Technology
- Software Composition Analysis technology is used to automatically track open licenses used in a company’s applications. It helps businesses to identify third-party and open source components integrated into their applications.

Obsolescence Policy
- Third-Party vendors should provide a policy indicating that support would be provided for their older version(s) of software, and adequate lead time prior to the release of a newer version of the software.

At WCG, we recognize that Security is a top priority for businesses. We offer Solutions that help test and manage vulnerabilities in Third-Party Software.
Wilson Consulting Group is an innovative global cybersecurity consulting firm. We offer Cyber Intelligence, Cyber Security Assessment, Penetration Testing, SOC 2 Type 2 Services, and Vulnerability Assessment Services to evaluate any threats that your organization may face and provide solutions to combat them.

Subscription Center

Stay in the Know with Our Newsletter