Surviving Security Risks Existent in Third-Party Software

Third-Party Software Components

Third-Party Software is comprised of software libraries, modules and other components that are either purchased from a third-party vendor or made freely available. It includes open source software and commercial off-the-shelf components, which are components that are available for use straight away instead of building entirely from scratch, thereby reducing application development time.

A large number of companies today use third-party software to deliver solutions to their customers and to gain a competitive advantage in their industry by focusing more on product customization. Third-party software is also used by companies to speed up the application development process at a lower cost. While companies benefit from third-party software, they also introduce vulnerabilities into their code. Below are the risks associated with the use of the software.

Security Risks from the Use of Third-Party Software

• Discovery of Exploit
In the event of a discovery of potential exploits in an open source project, hackers take advantage of companies that are slow to fix their applications dependent on open source projects, with recently discovered vulnerabilities.

• Legal/Regulatory Risk
The use of multiple open source components in single proprietary applications makes it difficult to manage open source licenses as businesses develop and release software at a high rate. Non-compliance to any individual terms of different licenses could lead to legal action against the company.

• Intellectual Property Risk
Intellectual property infringement risk may occur when proprietary code makes its way into open source projects due to a lack of standard commercial controls.

• Business Risk
Open source components utilized by a company may show a lack of operational efficiency due to a failure by the company to track and update open source components as new versions become available. These updates are to be done timely as they often address high-security vulnerabilities. Companies should ensure proper inventory management to track projects that are not updated frequently.

• Software Developer Malpractices
A manual transfer via email of open source components, or copying and pasting code from open source libraries makes a companies’ applications susceptible to potential future vulnerabilities.

Third-Party Software Risk Control

Necessary verification and due diligence should be carried out to control the risk inherent in the use of Third-Party Software.

Security Control
- Establish necessary security requirements and include them in acquisition and software contracts with third parties.
- Establish security-related principles for choosing commercial and open source software.
- Request evidence that shows software components of a commercial software provider are compliant with the company’s security requirements. The third-party vendor should be able to provide documentation with details of security technologies used, third-party security audits and vulnerability assessments completed.
- Software components should be transferred via a binary repository or a secure network.

Verification Control
- Carry out an appropriate verification of third-party software modules and services.
- Confirm there are no publicly known vulnerabilities in the software components yet to be fixed by the third-party vendor.
- Ensure the software module is maintained and determine a plan that shows if a software module is no longer supported.

Infringement Risk Control
- Carry out appropriate due diligence on open source projects to detect potential infringement risks.

Software Technology
- Software Composition Analysis technology is used to automatically track open licenses used in a company’s applications. It helps businesses to identify third-party and open source components integrated into their applications.

Obsolescence Policy
- Third-Party vendors should provide a policy indicating that support would be provided for their older version(s) of software, and adequate lead time prior to the release of a newer version of the software.

At WCG, we recognize that Security is a top priority for businesses. We offer Solutions that help test and manage vulnerabilities in Third-Party Software.
Wilson Consulting Group is an innovative global cybersecurity consulting firm. We offer Cyber Intelligence, Cyber Security Assessment, Penetration Testing, SOC 2 Type 2 Services, and Vulnerability Assessment Services to evaluate any threats that your organization may face and provide solutions to combat them.