RL Blog
|

Leverage third-party software validation to bolster your supply chain security

Here's how risks emerge with third-party software, and why third-party partners are best for validating software security end-to-end

Edward Amoroso
Blog Author

Edward Amoroso, Founder and CEO, TAG InfoSphere. Read More...

third-party-risk-partnership-sscs

Most security teams will point to the software supply chain as one of their most intense cyber risks. The most commonly cited problem is that software from external suppliers and partners can contain malware or could support unwanted types of behavior that would allow an attacker to compromise enterprise resources or data.  

To deal with this risk, enterprise teams must find a way to address the integrity of the software being used, either as components of internally managed systems or embedded in some externally managed platform or system. This is not an easy task, and typically requires partnership with a capable commercial vendor. 

In this post, discover how risk is emerging with third-party software, and how third-party software security validation is key to mitigating that risk. Learn why partner solutions that offer effective functional support in the mitigation of software supply chain attacks are key.

[ Key takeaways: Supply chain security risks addressed in new Gartner report | Get the Gartner report: Mitigate Enterprise Software Supply Chain Security Risks ]

Third-party software risk 

The cyber risks that emerge in the context of third-party software are no longer a point of debate in the security community. Rather, the typical discussion is more along the lines of how to locally prioritize these risks in the context of the organizational mission. The most common risks from third-party software include the following:  

  • Exploitable vulnerabilities – The potential arises that third-party software can be configured in a manner that is exploitable by malicious intruders.  
  • Software containing malware – The possibility emerges that software from third parties might include malware inserted during the development or delivery process. 
  • Data leakage – There is the possibility that third-party software will not sufficiently protect enterprise data, resulting in leakage that could have high consequence. 

The implication here is that dependence on third parties for software introduces risk that must be addressed in some manner. External validation of third-party software is one of the more promising methods of risk reduction. Here's how this typically works in the context of a partnership with a capable commercial vendor. 

Third-party software validation 

To deal with third-party software risk, enterprise teams should select a commercial vendor partner that can perform validation on all software of interest. As suggested above, the ReversingLabs platform offers effective support in this area and will serve to define suitable functional requirements.  

Specifically, we recommend that third-party validation include the following functional security capabilities: 

Learn how the ReversingLabs team can assist buyers with any questions about how these functions work together on the platform. TAG Cyber analysts are also always available to provide guidance on how this and similar platforms can be used to reduce the cyber risks associated with third-party software. 

Copyright © 2023 TAG Cyber LLC. This report may not be reproduced, distributed, or shared without TAG Cyber’s written permission. The material in this report comprises the opinions of the TAG Cyber analysts and is not to be interpreted as consisting of factual assertions. All warranties regarding this report’s correctness, usefulness, accuracy, or completeness are disclaimed herein.


RELATED: TAG CYBER SERIES



Explore RL's Spectra suite: Spectra Assure for software supply chain security, Spectra Detect for scalable file analysis, Spectra Analyze for malware analysis and threat hunting, and Spectra Intelligence for reputation data and intelligence.

More Blog Posts

Do More With Your SOAR

Do More With Your SOAR

Running an SOC is complex — and running without the best tools makes it more difficult. Learn how RL File Enrichment can automate and bolster your SOC.
Read More