As our developers incorporate more and more third-party software components and partner APIs that we don't have direct control over, how do we test for third-party application security?
It's hard enough to find and fix security flaws in your own code. Third-party application security only increases the level of difficulty. Every year I test dozens of home-grown Web applications for security flaws both via penetration testing and source code analysis. Many of these applications have third-party components that inevitably contribute to at least one or two of the findings that make it into the final report.
Testing third-party software components for security flaws is really no different from testing your own software. The only variable, as far as actual testing is concerned, is the fact that you're not going to be able to perform a source code analysis unless it's open source software you're using. Beyond that, just use the standard ethical hacking methodology for finding security flaws. Look for SQL injection, session management weaknesses, cross-site scripting and other common -- and well-documented -- software vulnerabilities. Use the same Web application attack methods as you would for your own code. In the end, the desired outcome (to find and fix the flaws so business risks can be minimized) is the same.
One thing to keep in mind though: It's not just about finding the security flaws in third-party software components. The real challenge is figuring out how to convince the third-party vendors to fix the problems. A critical flaw in your estimation may not be critical to the vendor or developer who wrote the code. I see this quite often. You need to be prepared to make your case about business risk. If your business is a big enough customer of the developer then they might accommodate your concerns. If you don't have that luxury you have two options: Find an alternative solution and take your business elsewhere, or present your case to management and let them decide if the flaws are acceptable risks to their business.
Dig deeper on Software Security Test Best Practices
Related Q&A from Kevin Beaver
For an enterprise application, assuming our development team does lots of little changes (in two- to three-week iterations), how frequently should we...continue reading
Is the PCI DSS a sufficient guideline for implementing an application security program? Should organizations take steps beyond the mandated PCI ...continue reading
The number of endpoint security vulnerabilities is daunting, but endpoint admins should first focus on updating patches against Windows malware.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.