While planning for our upcoming Ed TALK on the SolariGate attack with Microsoft and Equifax, I remembered a conversation from an earlier Ed TALK on managing Software Risk. 3rd party “stuff” is a staple in the modern enterprise due to our insatiable appetite for sophisticated and on-demand features. My three guests had slightly different thoughts about protecting their business from these dependencies.
Keep your robots clean
Charisse Castagnoli’s stance was basically, “Know your assets and keep your data clean.” For Charisse, her assets and data are one and the same. She secures payments for a 100% digital, cloud-based company. Her advice was, “You’ve got to bucketize the asset that’s going to be involved with that software. I don’t care if it’s from Salesforce, Amazon, or your neighbor’s kid down the street.” For her, “bucketizing” is really threat modeling with an eye on business continuity. She said she’d rather sacrifice performance than availability any day of the week. She even threat-models for weather. “Our payment processor got hit by that storm that went through Iowa and went down. I have no business if I have no payments. Fortunately, we had a business continuity plan. It was painful, but we managed.” Charisse always reverts to the assets she’s dealing with. Her 3rd-party vendors have to meet certain criteria for high-risk assets. For InstaPay, if a 3rd-party stores or deals with financial data, which is the primary asset she worries about, it has to be a vendor with that highest level of assurance and has a SOC 2 audit she can review and other publicly discoverable ratings. Even then, she takes precautions for the threat of that 3rd-party being compromised. InstaPay encrypts all of its data locally before sending it to the cloud for any type of processing. This is one of those performance-vs-security tradeoffs she’s willing to make.
It's all software now – and it’s complex
3rd-party software is a staple in John Masserini’s risk portfolio. For him, risk detection is key, especially around the procurement process. “Look, the reality is stuff still gets in. We wake up one day and go, when did we get that product, or when did we start using that vendor?” Getting in front of that to try and quantify and identify who the vendors are and what service they’re providing sounds simple, but it’s more complicated than you might think – and it’s crucial. He said one can never underestimate the complexity of third parties. When it comes to the cloud, he said, “Anything you run in the cloud is far more complex than you think it is…. But when we get down to the crux of it, it’s just software.” For John, discovering all the 3rd-party software in use at his company is challenging enough; depending on them to build and deliver it securely often puts his vendors in an uncomfortable position to answer difficult security questions and prove due diligence via documentation. John likes to use innovative, cutting-edge solutions and, though he often works with vendors to improve their security hygiene, when those 3rd-party solutions enter his infrastructure, he treats them as if they are malware. He war-games how to sandbox and segment them from critical data or access controls while still allowing them to function.
For your own safety, please use the equipment properly
There are a lot of security controls that come with 3rd-party software, whether it’s a full enterprise application or a cloud microservice. However, you still need to know how to use and configure those controls properly. And if you have flawed security principles, using a 3rd-party security control might not solve your problem(s.) Thinking about 3rd-party software as if it were your own is a strategy Fred Pinkett of AbsorbLMS recommends and provided a salient example. “We support SSO so that clients can use our LMS without having separate logins to a bunch of stuff. But if you hook us up to your SSO, and your SSO is configured with weak password rules, you’re not going to have a secure environment just because you’ve moved the responsibility for running the infrastructure to somebody else.” It’s akin to going to the gym and misusing one of the exercise machines – either trying to lift too much weight or using poor form. Either way, you run the risk of injuring yourself and you can’t blame the equipment ☺ So learn as much about it as you can, figure out not just how it works but model how it might fail. If there’s a user guide, read it. This allows you to “exercise” properly and get the benefits without introducing unnecessary risk.
At Security Innovation we understand that to meet the demand for feature-rich solutions, tech stacks constantly evolve. To reduce the risk increased complexity brings, teams need to collectively get smarter, from coding to configuration. We offer the industry’s largest security library for those who build, operate, and defend software. Our micro-learning approach makes it a cinch to build target skills with turn-key but customizable Learning Paths.
The usage of Commercial-off-the-shelf software (COTS) by organizations while advantageous comes with its own set of challenges and complexities. Unfortunately, it is rare for acquisition approaches to account for complex software supply chains. Our courses DSO 205 - Securing the COTS Supply Chain and DSO 206 - Securing the Open Source Supply Chain provide learners with an understanding of how to apply DevSecOps best practices to reduce software supply chain risks inherent with the use of open-source software.
