As our developers incorporate more and more third-party software components and partner APIs that we don't have...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
direct control over, how do we test for third-party application security?
It's hard enough to find and fix security flaws in your own code. Third-party application security only increases the level of difficulty. Every year I test dozens of home-grown Web applications for security flaws both via penetration testing and source code analysis. Many of these applications have third-party components that inevitably contribute to at least one or two of the findings that make it into the final report.
Testing third-party software components for security flaws is really no different from testing your own software. The only variable, as far as actual testing is concerned, is the fact that you're not going to be able to perform a source code analysis unless it's open source software you're using. Beyond that, just use the standard ethical hacking methodology for finding security flaws. Look for SQL injection, session management weaknesses, cross-site scripting and other common -- and well-documented -- software vulnerabilities. Use the same Web application attack methods as you would for your own code. In the end, the desired outcome (to find and fix the flaws so business risks can be minimized) is the same.
One thing to keep in mind though: It's not just about finding the security flaws in third-party software components. The real challenge is figuring out how to convince the third-party vendors to fix the problems. A critical flaw in your estimation may not be critical to the vendor or developer who wrote the code. I see this quite often. You need to be prepared to make your case about business risk. If your business is a big enough customer of the developer then they might accommodate your concerns. If you don't have that luxury you have two options: Find an alternative solution and take your business elsewhere, or present your case to management and let them decide if the flaws are acceptable risks to their business.
Kevin Beaver asks:
Do you feel confident about the security on your third-party application components?
0 ResponsesJoin the Discussion
Related Q&A from Kevin Beaver
When replacing an email security gateway, should a Web security gateway be used or another email gateway? Expert Kevin Beaver explains.continue reading
Expert Kevin Beaver explains how organizations should address end-of-software development dates, and what they ultimately mean to enterprise security.continue reading
Are read-only domain controllers a more secure option for setting up domain services in a DMZ than using a separate domain? Expert Kevin Beaver ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.