Q

Third-party application security must be tested for vulnerabilities

Security expert Kevin Beaver offers advice on how to find third-party application security vulnerabilities and how to fix them.

As our developers incorporate more and more third-party software components and partner APIs that we don't have direct control over, how do we test for third-party application security?

Kevin Beaver Kevin Beaver

It's hard enough to find and fix security flaws in your own code. Third-party application security only increases the level of difficulty. Every year I test dozens of home-grown Web applications for security flaws both via penetration testing and source code analysis. Many of these applications have third-party components that inevitably contribute to at least one or two of the findings that make it into the final report.

Testing third-party software components for security flaws is really no different from testing your own software. The only variable, as far as actual testing is concerned, is the fact that you're not going to be able to perform a source code analysis unless it's open source software you're using. Beyond that, just use the standard ethical hacking methodology for finding security flaws. Look for SQL injection, session management weaknesses, cross-site scripting and other common -- and well-documented -- software vulnerabilities. Use the same Web application attack methods as you would for your own code. In the end, the desired outcome (to find and fix the flaws so business risks can be minimized) is the same.

One thing to keep in mind though: It's not just about finding the security flaws in third-party software components. The real challenge is figuring out how to convince the third-party vendors to fix the problems. A critical flaw in your estimation may not be critical to the vendor or developer who wrote the code. I see this quite often. You need to be prepared to make your case about business risk. If your business is a big enough customer of the developer then they might accommodate your concerns. If you don't have that luxury you have two options: Find an alternative solution and take your business elsewhere, or present your case to management and let them decide if the flaws are acceptable risks to their business.

This was first published in March 2014

Dig deeper on Software Security Test Best Practices

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.
Related Discussions

Kevin Beaver asks:

Do you feel confident about the security on your third-party application components?

0  Responses So Far

Join the Discussion

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchSOA

TheServerSide

SearchCloudApplications

SearchAWS

SearchBusinessAnalytics

SearchFinancialApplications

SearchHealthIT

Close