编者按: 的 following is a sponsored blog post from FortifyData.
的 year 2020 will be reflected in history as a year of many surprises. 在事后看来, 一个趋势是, 虽然并不意外, 措手不及的公司惊慌失措, was the explosive occurrence of cybersecurity breaches via third-party software. 的se trends serve as a stark reminder of the critical role that third parties play in the failure or success of cybersecurity efforts.
不管来源是什么, 一旦违约发生, loss of credibility and business are amongst the worse fallouts. A 波耐蒙研究所的研究 found 31% of consumers discontinue using the services of a company impacted by a data breach. 的 average cost of a data breach is considerable. 根据 IBM的一份报告到2020年,这一数字为3美元.8600万年.
第三方软件风险的上升
的re is no shortage of headlines when it comes to third-party breaches. 2020年初, 通用电气的人力资源文档管理系统 provided by Canon Business Process Services was breached. It exposed over 200,000 personal and health benefits records of GE’s 现任和前任雇员. 的 massive data breach affecting Instagram, YouTube and TikTok, 近2.35亿用户账户被曝光, 追查到Deep Social, 一个现已倒闭的社交媒体数据经纪人.
航空航天和汽车制造商——特斯拉, SpaceX公司, 波音公司, and Lockheed – lost valuable intellectual property (IP) through 维瑟造成的破坏,一家第三方零部件公司. 旅游业也受到了影响. Expedia、酒店.com, and some other travel sites experienced a significant data breach via third-party Prestige Software, which stored over 10 million records from its online booking clients in an exposed AWS S3 bucket.
While third-party software is becoming a common commodity in most organizations, currently there’s a lack of a formal vetting process to assess the security posture of the software and mitigate the risks they pose to a company’s core operations on an ongoing basis.
Data breaches of such severity underscore the importance of identifying and assessing third-party software vulnerability in your overall 第三方风险管理 (TPRM).
Best practices for identifying and managing third-party software vulnerabilities
安全研究发现 22% of the participating companies did not monitor their supply chain to ensure security, and 32% failed to re-assess their vendors regularly or while onboarding new vendors.
In addition to challenges in testing and certifying third-party software, insufficient logging and monitoring are other hurdles. Software as a Service (SaaS) often lacks measures to detect data breaches. 发现漏洞的时间大概是 平均200天, which gives attackers ample time before a response to the security incident kicks in.
To counteract these challenges, identify vulnerabilities through:
- NextGen网络安全评级: Monitoring at a point in time isn't enough to cover the ongoing chain of security events. Next generation TPRM tools that leverage security ratings to analyze risk and continuously monitor events can provide visibility and facilitate early detection of threats.
- 主动和被动扫描: 定期扫描以识别, 优先考虑并评估软件漏洞, 并将它们映射到释放, make your infrastructure resilient against third-party software and components. 的se scans must include web application vulnerability identification on third–party web applications and SaaS. 这样的扫描将利用一个标准的 OWASP前十名, which is a regularly updated list of critical security risks to software that includes:
- 注入攻击
- 破碎的身份验证
- 敏感数据暴露
- 安全错误配置
- 跨站点脚本编制
- 不安全的反序列化
- 使用具有已知漏洞的组件等.
- 自动风险评估: Cyber risk assessment and scoring of third-party software through the use of framework-based integrated questionnaires that can help you identify and auto-validate control deficiencies and gaps is also critical to improving your overall risk posture.
Leveraging next generation third-party risk management solutions
Identifying and mitigating third-party software vulnerabilities can seem like a daunting task. However, leveraging a next-generation cybersecurity risk management platform for 第三方风险管理, 像FortifyData, will simplify how you secure your organization against threats from third-party software.
Here’s what to expect from a next-gen TPRM solution for software vulnerability mitigation:- 自动评估第三方软件和 网络风险评分
- Automated validation of third-party compliance adherence
- Continuous monitoring and event-based alerts for early threat detection
- Comprehensive risk reports and easy collaboration for timely remediation
今天, securing an organization involves much more than your employees and internal infrastructure. 今天, third-party software and vendors are an integral part of your core operational workflows and are often a weak link in your security framework.
Prioritizing and investing in next-gen TPRM tools automates, simplifies and hardens your enterprise security posture and threat resilience. - 主动和被动扫描: 定期扫描以识别, 优先考虑并评估软件漏洞, 并将它们映射到释放, make your infrastructure resilient against third-party software and components. 的se scans must include web application vulnerability identification on third–party web applications and SaaS. 这样的扫描将利用一个标准的 OWASP前十名, which is a regularly updated list of critical security risks to software that includes:
