Find and fix security vulnerabilities in third-party software over which you have no control
There is popular wisdom that says don’t stress over the things in your life that you can’t control. This is great advice for all of us these days. Nonetheless, no matter how hard you try, there will be things that are beyond your control that you should be aware of, especially in a business setting. One specific thing that you need to stay aware of, whether you have full control over it or not, is software developed by third parties. From the source code of your web applications, from external libraries called by your software, or from web interfaces of systems that you cannot update or maintain, there is probably a lot of third-party software in your environment. And, knowing what we now know about app security, you need to do something about it.
Many of the most important security risks for any given organization are caused by code written and, presumably, maintained by others. It’s easy to say that other people’s code is not my responsibility, but reality has another set of plans. The last thing you need is a software exploit that facilitates an incident or breach. Whichever outside party wrote the original code, it is now your responsibility because it is part of your network environment. So the question becomes, what are you going to do about it?
One thing you need to remember is that external parties such as auditors, clients, and even juries and judges don’t care how vulnerabilities entered your environment. Even with your hands tied, app security breaches can and likely will look bad on you. As soon as you become aware of an application security vulnerability over which you have no immediate control, you should involve the external vendor as soon as possible.
Talk to your supplier to see what they could do or what compensating controls they could help you with. Show them the hard evidence you have of the specific vulnerability, then communicate its impact on your business. Reporting from a web vulnerability scan or a dynamic analysis of the software composition scan might be all they need. They may need additional details discovered by manual testing. Either way, it could be a quick fix that their developers can easily fix. The vendor may have unbiased and solid ideas for remediation that are not obscured by your perception of your own application and network environment.
The third parties responsible for the vulnerabilities may not be interested in fixing them. If that’s the case, you can go up the food chain and talk to management and try to build on the relationship you have with them. You can also try to find out who else is using this software and try to come together with a unified front that might help change the provider’s mind.
Still, you could find yourself on a dead end with the seller. If so, try to determine what you could do to mitigate the risk in terms of technical controls on your network. Update the software yourself, upgrade to a new platform, use a web application firewall, or maybe network segmentation – whatever it takes.
One of the biggest challenges in application security is the inability to recognize vulnerabilities in the first place. Whether you’re responsible for all of IT or focusing on application security, it’s imperative that you take reasonable steps to uncover security vulnerabilities in your software. This is true whether it’s developed in-house or whether it’s someone else’s code. But you can’t stop there. You then need to take that information, determine the impact of the vulnerabilities on the business, and then do what you can to minimize the risks identified. If you have any third-party software dependencies that contain intractable vulnerabilities, you will need to resolve them somehow. Once you see a vulnerability, however it got there, something needs to be done. If not, it’s time to move on and get away from those unnecessary risks.