FORRESTER SECURITY & RISK CONFERENCE — Companies need to take steps to minimize the risk posed by third-party software in the supply chain, which has grown significantly over the past few years, analysts advised at the Forrester Security & Risk 2021 Conference this week.
The concerns come as external attacks increasingly come through vulnerabilities in third-party software, such as open source projects or a breach of a third-party provider. More than a third of external attacks (35%) are carried out through exploiting a vulnerability, while another third (33%) come from a breach of a third-party service or software maker, according to a Forrester survey of 530 security decision-makers.
The growth of third-party risk threatens to undermine the security of enterprise applications if companies don't take steps to tame the problem, Alla Valente, senior analyst at Forrester, said during a roundtable at the conference.
"We have a lot of third-party risk and it's just escalating, and part of the reason is there are more third parties than we've ever had," she said. "If you didn't create [a particular application] and you are relying on someone else to maintain it, chances are ... [ security] is not going to get done."
The issue will become more important in 2022, as governments start to draft guidelines for secure software. The Biden administration, for example, signed an executive order in May requiring the National Institute of Standards and Technology (NIST) to draft guidelines for federal contractors to better secure software. The guidelines include providing a software bill of materials, or SBOM, to the government for their products and attesting to the security of the developers' build environments. NIST already has created draft guidelines for securing Internet of Things devices and software and held a workshop in September with industry to discuss the topics.
SBOMs are a key component for companies to understand their risk and identify software components as well as extended dependencies that could undermine an application's security, Chris Condo, principal analyst with Forrester, said during the presentation.
"Most developers just connect to a repo and they download the latest software versions of whatever packages they are using, but are those packages being scanned for vulnerabilities and is everyone even using the same version?" Condo said, adding that without a focus on such issues, companies are just delaying security problems. "You are creating more technical debt, more security issues that you will have to deal with downstream in a more expensive way."
The inconsistent nature of open source software continues to be a key issue. While major packages are typically well managed, many enterprises end up using packages — often through dependencies of more common components — that are not as well managed and may have vulnerabilities.
While the average time that open source software projects remediate vulnerabilities has dropped significantly (from 371 days in 2011 to 28 days in 2021), the number of packages hosted by the major ecosystems have grown significantly — 20% in the last year, according to a report published by software security firm Sonatype.
Companies need to delve into the packages they rely on for software development and determine if they pose a security issues, Condo said. "Understanding what you are actually depending on is really important, where is the weakest link, where are these issues going to arise, and should we use something that is a proprietary package or something that is curated," he said.
The AI/ML Factor
As companies increasingly pursue analytics based on artificial intelligence and machine learning (AI/ML), they are facing on similar issues. AI/ML represents a specific facet of the open source problem because a great deal of the algorithms are encoded in open source projects. Businesses should determine whether these components pose a risk to their business, analyst Valente said.
"Organizations are leveraging AI and machine learning, and the question is not whether they are going to use AI and ML but whether they are going to buy it or build it," Valente said. "If they are going to buy ML or AI models, that is not something that they are maintaining — in many cases it is open source, and even commercial software, is 75% to 90% open source."
Finally, businesses need to focus on security issues earlier in the process. Determining that an open source dependency poses a security issues and removing it from consideration is far less expensive than attempting to close security issues found in the software after deployment, Condo said.
"You are creating more technical debt, more security issues that you will have to deal with downstream in a more expensive way," Condo said, adding that security should be part of the entire software development chain. "If you thought about really shifting left your security and designers doing threat modeling, review it with a security expert, and think about [things like] where data should reside and how to secure some of these APIs."