Third-party software security risks are on the rise, and so are the significant cyber attacks they facilitate. According to a CrowdStrike report, 45% of surveyed organizations said they experienced at least one software supply chain attack in 2021. In 2023, the average number of SaaS apps used by each company is 130 - a 5x increase compared to 2021. With third-party relationships multiplying at such speeds, detecting and managing security risks in the third-party network will only get increasingly difficult.
In this post, we outlined four methods for discovering vulnerable third-party software that could increase your risk of suffering a data breach.
4 Methods for Identifying Third-Party Software Vulnerabilities
The process of detecting vulnerable third-party software isn’t a stand-alone process; it should sit within a broader third-party cybersecurity program known as Third-Party Risk Management (TPRM). Third-party vulnerability detection is the second stage of a TPRM lifecycle.
Learn how UpGuard simplifies Vendor Risk Management >
The best TPRM programs augment various security tools to produce the most comprehensive third-party risk detection mechanism. This cybersecurity toolbox usually consists of the following:
- Security ratings
- Risk assessments
- Security vulnerability scanners
- Penetration testing
Each of these methods for detecting vendor-software security issues is addressed in the list below.
1. Scrutinize Vendor Application Security Risk Assessments
Risk assessments, or security questionnaires, are one of the best methods for extracting deep cybersecurity insights about any aspects of a vendor’s attack surface. Risk assessments can either be framework-based to identify security control deficiencies against popular security standards or custom-designed for focused investigations about specific third-party risks.
Some popular framework-based assessments that can help you discover vulnerabilities in third-party web applications and software include:
- Cloud Security Alliance — Consensus Assessments Initiative Questionnaire (CAIQ).
- General Data Protection Regulation (GDPR) Questionnaire.
- Higher Education Community Vendor Assessment Tool (HECVAT).
- ISO 27001.
- National Institute of Standards and Technology — NIST SP 800–171.
- Shared Assessments Group — Standardized Information Gathering Questionnaire (SIG / SIG-Lite).
- Vendor Security Alliance — VSA Questionnaire (VSA).
- Payment Card Industry Data Security Standards (PCI DSS) Questionnaire.
Learn more about the top questionnaires for IT vendor assessments >
Most industry-standard questionnaires map to public repositories of known vulnerabilities impacting third-party software.
.png)
Learn how to design an Incident Response Plan >
Open Web Application Security Project (OWASP) Top 10
OWASP Top 10 lists the most critical web application security risks. It provides guidance on how to prevent and mitigate these risks. You can use this questionnaire to assess the security of third-party software against common attack vectors such as:
- Cross-site scripting (XSS)
- Malicious code injection attacks
- Open-source vulnerabilities
- SQL injection susceptibility.
Common Vulnerability Scoring System (CVSS)
The CVSS is a framework for assessing the severity of security vulnerabilities. It assigns a score to vulnerabilities based on their impact and likelihood of exploitation. You can use this questionnaire to evaluate the risks associated with third-party software.
National Institute of Standards and Technology (NIST) Cybersecurity Framework
The NIST Cybersecurity Framework is a set of guidelines for improving cybersecurity risk management. You can use this questionnaire to assess the security posture of third-party software.
Center for Internet Security (CIS) Controls
The CIS Controls are a set of best practices for securing IT systems and data. You can use this questionnaire to identify security gaps in third-party software and implement the necessary controls.
SANS Institute Critical Security Controls
The SANS Institute, Critical Security Controls, provides a prioritized list of actions to improve cybersecurity. You can use this questionnaire to evaluate third-party software security so that critical vendors can be prioritized in remediation efforts.
Common Vulnerabilities and Exposures (CVE)
The CVE database is a publicly available list of known cybersecurity vulnerabilities and exposures that could be impacting software providers in your supply chain. This regularly updated list can be accessed through the National Vulnerability Database (NVD).
Custom-built questionnaires are great for evaluating specific aspects of vendor software cybersecurity for optimum vulnerability management efforts. Custom questionnaires can gain insights into the following complex third-party software attack vectors:
- Poor security practices in the software development lifecycle.
- Legacy operating systems are at a heightened risk of malware injections.
- Weak DevOps security.
- Unprotected and publically exposed APIs.
- Misconfigured databases expose source codes to hackers.
2. Use Security Ratings to Monitor Vendor Security Postures
Security assessments alone will not support responsive mitigation efforts ensuring the minimal impact of third-party security risks. This is because security assessments only reflect the state of a vendor’s attack surface at the time of the assessment. After the responses to these assessments have been received, each vendor’s attack surface is likely to have been modified by new emerging risks.
To solve this conundrum, point-in-time assessments should be augmented with security ratings that quantify a vendor’s security posture against a list of common attack vectors. Security rating solutions continuously monitor third-party attack surfaces and instantly respond to detected variations. A drop in security rating likely indicates an emerging third-party software security risk that should be scrutinized in greater detail with a targeted risk assessment.
Watch the video below to learn how UpGuard is helping risk management teams improve the value risk assessments.
The combination of risk assessments and security ratings gives risk management teams real-time awareness of emerging third-party software security risks.
It’s important to note that detecting a third-party software vulnerability indicates an attack vector that hackers could have already exploited. In addition to a fast and accurate vulnerability detection mechanism, you must also have controls in place for detecting data breach attempts in progress.
Learn how to prevent data breaches with this free guide >
3. Implement a Regular Penetration Testing Schedule
Application security testing is one of the most effective methods of discovering software vulnerabilities that third-party software suppliers have overlooked. Penetration tests should ideally be performed by independent parties to remove the risk of bias.
If you’re a software developer, your pen testing policy should include internal and external tests. The most comprehensive pen test should involve a combination of Static application security testing (SAST) and Dynamic Application Security Testing (DAST).
SAST testing analyses the source code of a solution for vulnerabilities, including injection points, Cross-Site Scripting (XSS), and directory traversals. This test should be performed shortly after a codebase has been written. The solution Static Analysis by Veracode can be used to automate the SAS testing process at the production stage.
DAST testing is performed at the build stage of the software development lifecycle. This type of test is similar to red team penetration tests. Like a real hacker, the testing methodology interacts with an application to discover exploitable runtime flaws. Veracode also offers a DAST testing solution known as Dynamic Analysis.
4. Use Open-Source Vulnerability Detection Tools
Open-source products introduce security risks from deep within an application’s codebase, dispelling the myth that only public-facing web apps act as attack vectors. Software dependencies are too numerous to track, let alone monitor for security risks, but thankfully, detection tools can automate security threat discovery in open-source software. Some popular options are listed below.
RetireJS
RetireJS is an open-source, JavaScript-focused dependency checker that provides developers with an efficient and effective way to detect and address known security vulnerabilities. The project includes multiple components, including a command-line scanner and plugins for popular build tools and browsers, such as Grunt, Gulp, Chrome, Firefox, ZAP, and Burp.
Snyk
Snyk is a commercial service that provides developers with powerful tools to detect and address known vulnerabilities in JavaScript npm dependencies. The service offers a unique guided upgrade feature and open-source patches to help developers fix vulnerabilities efficiently.
OSSIndex
OSSIndex is a comprehensive, multi-technology dependency checker that supports a range of popular development ecosystems, including NPM, Nuget, Maven Central Repository, Bower, Chocolatey, and MSI. OSSIndex provides a free vulnerability API that allows developers to quickly and easily identify potential security vulnerabilities within their software.
Dependency-Check
Dependency-check is a powerful, open-source command-line tool developed by OWASP that enables developers to identify and address potential security vulnerabilities in their software. The tool supports a range of popular development ecosystems, including Java, .NET, JavaScript, and Ruby.
Gymnasium
Gemnasium is a commercial tool that provides developers with robust dependency checking and auto-update capabilities for popular development ecosystems, including Ruby, NPM (JavaScript), PHP, Python, and Bower (JavaScript). The tool leverages its own comprehensive database, which draws on various sources to provide developers with a comprehensive view of potential security vulnerabilities within their software.
Node Security Project (NSP)
The Node Security Project is a security-focused initiative that identifies and mitigates security vulnerabilities within Node.js modules and NPM dependencies. The project utilizes a range of powerful tools that scan and analyze dependencies to identify and report vulnerabilities, leveraging publicly available vulnerability databases such as the NIST National Vulnerability Database (NVD) as well as its own comprehensive database.
Bundler-Audit
Bundler-audit is an open-source, command-line dependency checker designed explicitly for use with Ruby Bundler. The project sources vulnerability information from the NIST NVD and the RubySec vulnerability database, providing developers with a comprehensive view of potential security vulnerabilities within their software.
SRC:CLR
SRC:CLR is a commercial tool that provides developers with comprehensive dependency-checking capabilities and powerful plugins for popular development platforms, including IDEs, deployment systems, and source repositories. The tool leverages its own vulnerability database, which draws on various sources, including the NIST NVD and multiple mailing lists and bug-tracking systems.
Hakiri
Hakiri is a commercial tool that provides developers with powerful dependency checking and static code analysis capabilities for Ruby and Rails-based GitHub projects. The tool offers free plans for public open-source projects and paid plans for private projects.
How UpGuard Can Help
UpGuard’s Vulnerabilities module automatically detects third-party security threats from information exposed in each vendor’s HTTP headers, website content, and open ports. UpGuard’s attack surface monitoring feature also scans outside organizations influencing your attack surface for risks facilitating third-party breaches and supply chain attacks.
When a threat is detected, it can be instantly addressed through in-built remediation and risk assessment workflows, helping you maintain a strong security posture that’s resilient to first and even third data breaches.
UpGuard also offers a complete Vendor Risk Management solution to help you manage security risks through a proven third-party risk management framework.
