As our developers incorporate more and more third-party software components and partner APIs that we don't have direct control over, how do we test for third-party application security?
It's hard enough to find and fix security flaws in your own code. Third-party application security only increases the level of difficulty. Every year I test dozens of home-grown Web applications for security flaws both via penetration testing and source code analysis. Many of these applications have third-party components that inevitably contribute to at least one or two of the findings that make it into the final report.
Testing third-party software components for security flaws is really no different from testing your own software. The only variable, as far as actual testing is concerned, is the fact that you're not going to be able to perform a source code analysis unless it's open source software you're using. Beyond that, just use the standard ethical hacking methodology for finding security flaws. Look for SQL injection, session management weaknesses, cross-site scripting and other common -- and well-documented -- software vulnerabilities. Use the same Web application attack methods as you would for your own code. In the end, the desired outcome (to find and fix the flaws so business risks can be minimized) is the same.
One thing to keep in mind though: It's not just about finding the security flaws in third-party software components. The real challenge is figuring out how to convince the third-party vendors to fix the problems. A critical flaw in your estimation may not be critical to the vendor or developer who wrote the code. I see this quite often. You need to be prepared to make your case about business risk. If your business is a big enough customer of the developer then they might accommodate your concerns. If you don't have that luxury you have two options: Find an alternative solution and take your business elsewhere, or present your case to management and let them decide if the flaws are acceptable risks to their business.
Dig Deeper on Topics Archive
Related Q&A from Kevin Beaver
Compare host IDS vs. network IDS through the pros and cons of each, and learn how more modern systems may be better suited to ensure effective ... Continue Reading
Explore the differing roles of inbound versus outbound firewall rules for enterprise network security and the varying use cases for each. Continue Reading
Different tools protect different assets at the network and application layers. But both network and application security need to support the larger ... Continue Reading