1 | Copyright © 2015, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential...
-
Upload
derick-merritt -
Category
Documents
-
view
216 -
download
3
Transcript of 1 | Copyright © 2015, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential...
1 | Copyright © 2015, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
WORKSHOP
Handling Third Party Software
Risk
Nick Murison
Managing Consultant
Sammy Migues
Principal Consultant
2 | Copyright © 2015, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Which of the following categories for 3rd-party software do you specifically account for in your SSI?
a. Bespoke software, COTS, FoSS with no owner:
a. All but one firm
b. “Salesforce” managed service model:
a. 7-10
c. “Service as a Service” (e.g., give me PII and I’ll do snail mail, payroll, etc.):a. 4
d. “Platform as a Service” (e.g., all your app are belong to us):
a. 5
e. Pre-configured systems/appliances we build on top of:
a. 8
f. “Injected code” as a service (analytics, trackers, ads, etc.):
a. ?
Question 1
3 | Copyright © 2015, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Is “3rd-party” a heavyweight factor in your software risk ranking process?
• Believe unknown libraries increase risk
• Probably no increased risk if we have all source code
• “We see more issues in 3rd-party code than in ours, so yes”
• “One of 17 q’s in app risk ranking”
Considering just app code, how much is <50% 3rd-party?• Range from very small percentage to 75-80%
• 90% for one outlier
Question 2
4 | Copyright © 2015, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Straw poll: what do you have in your contracts with 3rd-party software vendors?
• Some people writing SLA language with Legal support
• Have used SLA language as a lever to drive changes
• “Have to spend our own money to verify contractor is doing what’s in the contract”
− “We make them test it (and pay) and give us the results”
• Might be a conflict between firm and vendor depending on who pays and who gets the (unfiltered) results
Question 3
5 | Copyright © 2015, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
What do you do for open source with no owner?
• Vendor’s job to fix it and keep it fixed
• “If you’re the only team using it, then it’s your problem”
• 7-8 trying/tracking FoSS being used
• 3-4 hosting open source on an internal repository
Question 4
6 | Copyright © 2015, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
What has been effective at addressing 3rd-party risk in your firm?
• PT vs SLA?− “We use PT to verify adherence to SLA”
− “We’re not allowed to test some 3rd-party things; have to make them get a PT and then give us the results”
• 1 making “vendor assessment” part of security assessment
• We offer Fortify to vendors and found some critical defect
• As a vendor, get q’s like “Are you OWASP compliant?”
Question 5
7 | Copyright © 2015, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
What certifications / assurances held by a vendor make you more comfortable?
• “ISO 27001 is a red flag for us”
• ISO 27034 might be useful someday
• Sometimes a PT from a certain vendor is enough
• Handful deal with PCI
• Many clients for a service = many PT requests
• One might ask a vendor to do a BSIMM− “Yes, but I’d want the assessment to be specific to the product I have”
• “We have a large team that does product certifications”− Common Criteria, FIPS 140-2, EMVCo
Question 6
8 | Copyright © 2015, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.
Nick Murison
Managing Consultant
Sammy Migues
Principal Consultant