Creating a third-party security policy to prevent a software exploit

Third-party software vulnerabilities are one of the most likely attack vectors in the information security landscape today. In this expert response, Nick Lewis discusses how to prevent these vulnerabilities from becoming exploits.

Nick Lewis
Published: 16 Aug 2010

According to Secunia, third-party software vulnerabilities now account for the vast majority of flaws on most users' computers. How much importance should enterprises place on preventing third-party software flaws? And, to an extent, aren't enterprises largely at the mercy of the third-party vendors in patching these flaws?

Secunia ApS, the Copenhagen-based organization known for its online vulnerability clearinghouse, has been tracking and scanning Windows systems for vulnerable software with its Personal Software Inspector (PSI) and Corporate Software Inspector (CSI). Secunia will identify out-of-date or vulnerable software where typically a patch or upgrade is able to block attacks or fix vulnerabilities. Secunia reported in its Half Year Report for 2010 (.pdf) that third-party program (programs not directly supplied by Microsoft) vulnerabilities are increasing and account for more vulnerabilities than the Microsoft software installed on the systems scanned.

Enterprises should increase their focus on patching third-party software by, if possible, investing in patch or...

Step 2 of 2:

You forgot to provide an Email Address.

This email address doesn’t appear to be valid.

This email address is already registered. Please login.

You have exceeded the maximum character limit.

Please provide a Corporate E-mail Address.
- I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.
Please check the box if you want to proceed.
- I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.
Please check the box if you want to proceed.

system management products that will allow them to push updates for all of the software used in the organization. Criminals have been moving up the network stack -- and away from operating systems -- for their attacks as network and operating system security has improved over time. Enterprises also have devoted significant efforts to patching Windows and have developed processes and procedures to manage Microsoft patches. Enterprises typically haven't spent as much effort in patching third-party software, and criminals, thus, have been increasing their efforts to exploit vulnerabilities in third-party software. Enterprises need to create a third-party security policy to take these growing threats into account, and potentially even add additional management systems to incorporate patching third-party products into their existing processes and procedures.

Enterprises are at the mercy of third-party vendors for patching these flaws and preventing a software exploit, but they are also at the mercy of Microsoft to patch their software. Enterprises should hold their vendors or software to the same high standards that they hold Microsoft for security by letting their vendors know they expect secure software and switching to more secure software when their current vendor doesn't meet this expectation.

Dig Deeper on Secure software development

All
News
Get Started
Evaluate
Manage
Problem Solve

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

Meet all of our Information Security experts

View all Information Security questions and answers

Related Resources

Dig Deeper on Secure software development

Related Q&A from Nick Lewis

Have a question for an expert?

Start the conversation

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

Please create a username to comment.