I was recently checking out a new product that promises to help enterprises evaluate the security of third-party partner applications, ensuring they meet certain security standards. Is there value in a product like this, or can diligent adherence to policy and process work as well?
One of the biggest changes to enterprise IT infrastructures over the last few years has been the opening up of internal network resources to third-party partner applications. The rapid rise in the number of applications accessing in-house processes and retrieving and updating data has left many network administrators struggling to ensure that enterprise resources remain secure within a shared and expanded infrastructure. A number of recent data breaches have featured vulnerabilities in third-party applications that allowed hackers to access data when they connected to the targeted victim's network and resources.
The importance of ensuring that third-party access to an organization's resources doesn't compromise the company's overall security is highlighted by the extensive coverage it receives in the Information Security Standard ISO 27001. Section A.6.2 focuses on maintaining "the security of the organization's information and information processing facilities that are accessed, processed, communicated to or managed by external parties"; and section A.10.2 requires that third-party service delivery management "implement and maintain the appropriate level of information security and service delivery in line with third-party service delivery agreements."
Despite its obvious importance, many enterprises fail to properly evaluate partner applications connecting to internal network resources. The criteria for accepting connections from partner applications must be defined, and each application measured against them. A lack of resources or misplaced confidence in longstanding relationships are the two most common excuses given for failing to do so, while a shortage of in-house skills to fully evaluate application risk is another. Firms such as Cenzic Inc., Hewlett-Packard Co. and Veracode Inc. have realized this skill shortage is weakening many enterprises' defenses and have launched a certification process that allows organizations to request that their partners test and certify applications before connecting to their networks. Cenzic's Partner Application Security Certification Program is one way enterprises can evaluate the security of third-party partner applications and ensure they meet certain security standards.
A service that employs cloud-based scanning to test for vulnerabilities can potentially deliver a more in-depth review of vulnerabilities than organizations short on manpower and resources can achieve. Outsourcing what is a highly skilled task to specialists can be cost-effective and result in more secure applications, particularly if the process is integrated into an application's development lifecycle early on.
However, propriety code and confidentiality clauses are some of the reasons that outsourcing may not be an option. In this case, diligent adherence to policy and process can work as long as the required skills are available in-house. One advantage of having an enterprise's own security team complete the assessment is that the team should already have a good understanding of day-to-day business processes and the applicable regulatory compliance requirements, as well as an appreciation of the risks identified by the business owner. After taking into account such risk factors as reputation damage, financial loss, operational risk, sensitive information disclosure, personal safety and legal violations, an assurance level based on overall business risk should be assigned to each third-party application. This assurance level determines the extent of security testing required before an application can be accepted.
No matter who assesses and approves applications that connect to an enterprise's internal resources, continuous monitoring of network traffic generated by third-party applications is essential to spotting and analyzing any abnormal traffic. Alerts generated by network monitors have to be acted upon -- it is believed that alerts from monitoring systems were missed during the attack on Target's point-of-sale system and could have prevented the problem from occurring. A one-off certification or review will cover only the threat landscape at that point in time, so regular audits are also key.
SearchSecurity expert Michael Cobb is ready to answer your application security questions -- submit them now! (All questions are anonymous.)
Dig Deeper on Risk assessments, metrics and frameworks
Related Q&A from Michael Cobb
Sending sensitive information in attachments is inherently unsafe, and the main way to secure them -- encryption -- can be implemented inconsistently... Continue Reading
Spyware can steal mundane information, track a user's every move and everything in between. Read up on the types of spyware and how to best fix ... Continue Reading
Explore the differences between symmetric vs. asymmetric encryption algorithms, including common uses and examples of both, as well as their pros and... Continue Reading