1 | Copyright © 2015, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.

WORKSHOP

Handling Third Party Software

Risk

Nick Murison

Managing Consultant

nmurison@cigital.com

Sammy Migues

Principal Consultant

sammy@cigital.com

2 | Copyright © 2015, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.

Which of the following categories for 3rd-party software do you specifically account for in your SSI?

a. Bespoke software, COTS, FoSS with no owner:

a. All but one firm

b. “Salesforce” managed service model:

a. 7-10

c. “Service as a Service” (e.g., give me PII and I’ll do snail mail, payroll, etc.):a. 4

d. “Platform as a Service” (e.g., all your app are belong to us):

a. 5

e. Pre-configured systems/appliances we build on top of:

a. 8

f. “Injected code” as a service (analytics, trackers, ads, etc.):

a. ?

Question 1

3 | Copyright © 2015, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.

Is “3rd-party” a heavyweight factor in your software risk ranking process?

• Believe unknown libraries increase risk

• Probably no increased risk if we have all source code

• “We see more issues in 3rd-party code than in ours, so yes”

• “One of 17 q’s in app risk ranking”

Considering just app code, how much is <50% 3rd-party?• Range from very small percentage to 75-80%

• 90% for one outlier

Question 2

4 | Copyright © 2015, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.

Straw poll: what do you have in your contracts with 3rd-party software vendors?

• Some people writing SLA language with Legal support

• Have used SLA language as a lever to drive changes

• “Have to spend our own money to verify contractor is doing what’s in the contract”

− “We make them test it (and pay) and give us the results”

• Might be a conflict between firm and vendor depending on who pays and who gets the (unfiltered) results

Question 3

5 | Copyright © 2015, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.

What do you do for open source with no owner?

• Vendor’s job to fix it and keep it fixed

• “If you’re the only team using it, then it’s your problem”

• 7-8 trying/tracking FoSS being used

• 3-4 hosting open source on an internal repository

Question 4

6 | Copyright © 2015, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.

What has been effective at addressing 3rd-party risk in your firm?

• PT vs SLA?− “We use PT to verify adherence to SLA”

− “We’re not allowed to test some 3rd-party things; have to make them get a PT and then give us the results”

• 1 making “vendor assessment” part of security assessment

• We offer Fortify to vendors and found some critical defect

• As a vendor, get q’s like “Are you OWASP compliant?”

Question 5

7 | Copyright © 2015, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.

What certifications / assurances held by a vendor make you more comfortable?

• “ISO 27001 is a red flag for us”

• ISO 27034 might be useful someday

• Sometimes a PT from a certain vendor is enough

• Handful deal with PCI

• Many clients for a service = many PT requests

• One might ask a vendor to do a BSIMM− “Yes, but I’d want the assessment to be specific to the product I have”

• “We have a large team that does product certifications”− Common Criteria, FIPS 140-2, EMVCo

Question 6

8 | Copyright © 2015, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.

Nick Murison

Managing Consultant

nmurison@cigital.com

Sammy Migues

Principal Consultant

sammy@cigital.com