Updated: Oct 29, 2020
Managing a complex ecosystem of software and partnerships is a fundamental need for today’s businesses. Most enterprises run hundreds of mission-critical apps, many of which are either out-of-the-box or customized third-party solutions. The benefit of third-party software is clear: It saves time, resources, and allows you to implement new capabilities quickly, efficiently, and at scale.
Unfortunately, with great reward comes some risk. Many of last year’s most significant breaches – like CSC, Best Buy, and Delta – were due to missed vulnerabilities in the company's third-party applications. For example, Best Buy suffered a breach via their online chat service, 7.ai, which had stored BestBuy customer payment data on its servers.
Bringing on new, third-party software can be an exciting step forward for your workload and projects, allowing you to add new capabilities, build on the open source community, and leverage some of the best code out there. However, each new partnership creates an opportunity for hackers to access your systems and data. Even if your vendors claim to be secure, their code might not necessarily live up to the security standards and compliance requirements of your business. Developers can’t leave all risk management up to their security counterparts; developers need to share that responsibility just as they share responsibility for writing their own secure code.
Risks developers should know about third-party code
As Bogdan Rancea writes, open source code fragments are downloaded hundreds or thousands of times a day – and not everyone is contributing secure code or maintaining a secure code sharing system. The more complex the code, the easier it is for a few lines of malicious code to go undetected.
Rigorous testing is often overlooked for third-party code. If third-party code touches your data, it should be tested – but many businesses either don’t test or complete the bare minimum required by their compliance teams.
Standard third-party script tracking is documented, but there may be additional tracking that isn’t disclosed. These scripts may be collecting data across your website and apps, storing personally identifiable information from your customers as they engage with your business.
When a breach occurs, your brand will be held responsible. When your customers’ data is at stake, it doesn’t matter if the breach happens on third-party soil; if it’s your data, it’s your problem.
Protect your company and customers by planning ahead
While a breach may be inevitable, the disastrous aftermath isn’t. Proactive security measures in third-party relationships can save your company a lot of heartache in the long run, and developers are well suited to lead the charge. Here are a few best practices to follow:
4 Steps to take
1. Take inventory of all of your current third-party relationships
Begin with where you are now: Create a list of every third-party program used across your company. Make sure you know what code is being used, who the contact person is both internally and at the vendor (if applicable), and understand what data is being accessed or stored by the third party. You may choose to pursue security conversations and testing with certain vendors based on the classification of the data they work with, making an inventory of third-party relationships a valuable tool to prioritize. Once your inventory is complete, it may be useful to consider a third-party or open source code audit to thoroughly investigate your code ecosystem.
2. Work with security to create formal requirements for all new third parties
Establishing standards will allow your team to vet potential collaborators and ensure that any new software or code isn’t posing an unnecessary risk to your business. It will also help to serve as a requirements guide during the procurement process and can mitigate internal conflict when trying to get new tools approved. If you’re unsure where to start, begin by looking at the requirements of all the legal regulations that apply to your business, such as GDPR. You could also look at how the third-party code or tools will interact with your data, systems, and software and create requirements based on what will help you best protect the business.
3. Take on a security mindset: It’s everyone’s responsibility
When hackers are trying to find any possible way in, it’s important that your entire organization – not just the security department – feels responsible for and capable of contributing to your company’s security posture. Widespread security awareness will hopefully make security a priority whenever a team is evaluating a new tool or code fragment.
4. Data encryption: Start your security practices with the data
Set policies to protect data based on certain trigger actions – like the creation of data or external sharing – or based on the level of data sensitivity. By making encryption a standard practice across all systems, you’re adding a layer of security that requires identity-based authentication, which can give insight to who is accessing your data and when. Moreover, any stolen data will only be useful to hackers if it can be decrypted.
Licensed from https://about.gitlab.com/blog/2019/07/16/third-party-code-risks/