In March 2017, Equifax, a U.S. credit reporting agency, was hit by a massive data breach. One of its biggest causes was a well-known vulnerability in its web portal. This vulnerability (CVE-2017–5638) was discovered in Apache Struts — an open source development framework for creating enterprise Java applications — before the breach. Although the Apache Software Foundation released a patch, Equifax failed to apply it. Over the next few months, attackers stole personal information from 140+ million customers, including their names, and Social Security Numbers. The breach cost Equifax $1.4 billion in security upgrades. In January 2020, it was still making payouts worth $425 million to those affected by the cybercrime.
The Equifax breach is a great example of two modern-day truths:
- Today, almost every software application consists of third-party code, libraries, dependencies, and open source components.
- All kinds of software, including security software and common apps, have critical vulnerabilities.
Third-party components speed up software development, and allow developers to focus on innovation, rather than on reinventing the wheel for an existing functionality. But this convenience comes at a cost: increased risk, because for every developer who uses a component like Apache Struts to save time, there’s a cybercriminal who sees it as an attractive target to cause chaos.
The Risks of Third-party Software
The National Vulnerability Database (NVD) lists thousands of Common Vulnerabilities and Exposures (CVEs). In 2020, over 18,000 new vulnerabilities were discovered and assigned a CVE identifier. In just the first 5 months of 2021, 7000+ vulnerabilities were discovered.
Whether your organization uses or builds software with third-party components, you are vulnerable to many risks, including:
- Cross-site Scripting (XSS) and Cross-site Request Forgery (CSRF) attacks
- Injection flaws
- Intellectual property or data theft
- Unauthorized access to network and applications
Another huge risk: infrastructure downtime that can lead to financial losses, affect customer relationships, and weaken your market standing.
You can mitigate such risks by:
- Integrating security testing into the SDLC
- Educating developers on secure coding
- Ensuring all software updates are applied including any third party dependencies
While (i) and (ii) require a cultural change that may take some time to implement, you can get started with (iii) right away..with vulnerability scanning and SecureVia!
Proactive Security with SecureVia Vulnerability Scanning
If third-party components are a part of your software ecosystem, regular vulnerability scanning is a must. By regularly scanning your network, applications, and software, you can find weaknesses early, and fix them quickly to improve your security posture.
SecureVia, a simple yet powerful solution, scans your environment including third-party assets, to identify vulnerable components that risk your entire infrastructure. Standards-based audits will check your OS, application configurations and policies, and generate interactive, user-friendly reports to show you exactly how to improve your software security. The tool will prioritize vulnerabilities (must-fix vs nice to fix), to help you triage your remediation efforts for the best possible results.
How to Perform Third-Party Software Scans with SecureVia
SecureVia can easily scan the software running on your enterprise infrastructure to find vulnerabilities in source code, OS images, or Docker images within minutes. Scans can be easily integrated into your CI/CD pipeline
Step 1: Log into securevia.com and click on Try It Now.
Sign up (no credit card required) to download the SecureVia solution.
Download the scanner for your OS.
Step 2: Next, copy the instructions, turn on the scanner UI, and run the scanner. For this, you only need to place the instructions in the terminal window
Step 3: With SecureVia, you can scan your OS, database, applications, cloud account, and vulnerabilities. Click on vulnerabilities, then click Next.
Step 4: Select Local Scan, click Next.
Step 5: Select the directory to scan for vulnerabilities. Click on Start Scan.
Once the scan is complete, a report will be generated telling you exactly how you can secure your directory to make it more secure.
This report will show you any software that has vulnerabilities.
Step 6: Click on the application to see details of the vulnerabilities in your software.
Step 7: In addition to the directory version and location of the file where the vulnerability exists, you can also see the CVEs on that vulnerability and if any patches are available for it.
At the very least, you should apply the patches that are already available on priority.
Step 8: Click on a CVE to see the CVSS score and all affected versions of that component.
Third-Party Software Scans Protect from Supply Chain Attacks
If your external partners have access to your systems and data, you are vulnerable to a supply chain attack like the SolarWinds attack. In that case, attackers took advantage of multiple supply chain layers to penetrate several enterprise and government networks. Third-party vulnerability scanning can protect your enterprise from such risks.
In May 2021, President Joe Biden issued an executive order on cybersecurity. One of the big-ticket items in this order concerns improving software supply chain security. One idea is to establish baseline security standards for software sold to the government. This would include requiring developers to maintain greater visibility into their software, and making security data publicly available. The order stands up a concurrent public-private process to develop new innovative approaches to secure software development. It also uses the power of Federal procurement to incentivize the market. Finally, it proposes a pilot program to create an “energy star” type of label so the government — and the public — can determine whether software was developed securely.
Conclusion
A huge proportion of modern software, including critical software, is shipped with significant vulnerabilities that adversaries successfully exploit. Equifax and SolarWinds are just two examples of this long-standing problem. For too long, organizations have ignored the problem, and its potential repercussions.
Third-party vulnerability scanning is a fast, cost-effective way to fix software vulnerabilities before they turn into catastrophes. Even the U.S. Federal Government agrees that secure software is no longer a nice-to-have but a must-have. Then why don’t we all make an effort to build secure software from the get-go? We will all benefit!
