Software [In]security: Third-Party Software and Security
Handling security risk in third-party software presents interesting challenges. Much of what is written about software security deals with code that you are building, have built yourself, or are having built to your requirements. But a majority of large enterprises (even Independent Software Vendors [ISVs] themselves) make use of code developed elsewhere. This third-party software comes in two flavors—commercial software (COTS) and open source software.
At the BSIMM Community Conference in November we ran a workshop focused on controlling security risk in third-party software. Participants were all senior software security executives from twenty-three of the forty-two BSIMM firms. What made the study particularly interesting was the 50/50 mix of software providers (ISVs like Microsoft, EMC, and Adobe) and software consumers (Financial Services firms like Bank of America, Fidelity, and Citibank). Talk about diverse perspectives on the problem!
We divided participants into three groups to tackle three different aspects of the third-party software problem. Group 1 focused on the problem of auditing a particular piece of software, attempting to answer the question, “How do I know I am getting secure software?” by looking at measuring an application. Group 2 focused on the problem of auditing a firm, attempting to answer the question, “How do I know whether my vendor knows what they are doing?” by looking at measuring a firm's software security capability. Group 3 focused on the problem of open source security, attempting to answer the question, “What do I do when there is no firm?” by looking at measuring open source.
We present the results of the workshop and some further musings.
Group 1, led by Sammy, divided the problem of auditing a particular application into three major areas: 1) knowing about the vendor, 2) knowing about the acquirer (or the situation where the vendor code will find itself), and 3) current approaches.
Everyone agrees that knowing something about the Software Security Development Lifecycle (SSDL) of the vendor is a good idea. That is, not all eggs can be put into the assurance–of-an-individual-application basket. The end goal of all application audit approaches is to gather evidence for an assurance case and determine how much faith can be placed in the vendor based on the information they provide.
The vBSIMM can provide some evidence of software security clue, but it is most useful for subdividing vendors into those with some modicum of clue and those with no clue at all (a useful exercise it turns out). Currently, it is not clear enough how to interpret vBSIMM scores in practice.
A set of questions delving into a vendor's SSDL (and supporting data) can help determine what exactly a vendor does to build secure software:
- What is your threat model for this application?
- What types of security testing are you doing?
- Who is doing security testing? Is it independent?
- How do you remediate security problems? What kind of timeline is involved in remediation and what kind of enforcement is in place?
- How do you know that security defects are fixed?
- How often do you perform security testing?
- What kinds of metrics do you have on your software security effort over time?
Of course, the biggest problem with assessing application risk is that it is entirely context dependent. If you don't know where an application will end up being used (and what it will be used for), it is impossible to assign any useful risk measurement. Everybody wants to know more about the software they buy and the vendors who provide it, but this requires some introspection.
Some questions to consider:
- Do attackers want to break this particular application or do they want to take down the acquirer's brand?
- Can we get involved directly in the RFPs and other acquisition processes? (This includes service selection, vendor assurance, onboarding and deployment.)
- What is our view of risk? (Is this classified government stuff? Whose name and brand are on the application?)
- If we ask the vendor for evidence of security, how much integrity do the measurements we are asking for have? Are they repeatable?
When it comes to application audit, penetration testing appears to be the current gold standard approach. In addition to penetration test results, some acquirers also seek: attack surface review, review of cryptography, architecture risk analysis, technology-specific security testing, an external scanning regimen, binary analysis if source is unavailable, source code analysis if it is, fuzz testing (especially on new technologies), side-channel analysis on new hardware, and some attempt to ferret out grey-market components. In short, they seek many of the SSDL activities found in the Touchpoints and the BSIMM.
Both ISVs and Financial Services firms agree that standardizing application audit across all groups is a useful exercise. In the end, we can all use a better approach for vendors to make security claims that can be easily and transparently validated by acquirers.
Group 2, led by Gary, took a brainstorming approach to the problem of auditing a firm. Our first task was to explore metrics that could be used collectively to categorize a firm's software security initiative. We later discussed the metrics we wrote down and ranked them according to what the group thought would work best. The top six (there was a three-way tie for fourth place) metrics identified in this way were:
- Evidence of a documented Software Security Development Lifecycle (SSDL).
- Artifacts backing up the activities descibed in the SSDL that provide some proof of use (for example, results from an architecture risk analysis or results from a code review).
- Personal conversations with the Software Security Group lead that demonstrate a high level of knowledge about software security. (The vBSIMM takes this approach.)
- The very existence of a Software Security Group (SSG).
- A documented process for fixing security defects.
- A third-party review.
The rest of the metrics that came up during discussion (in rank order) are:
- Awareness of and/or participation in the BSIMM or vBSIMM.
- A documented system for external parties to report security defects.
- A reasonable “time to fix” for security defects reported publically.
- A site visit.
- An up-to-date security related Web page.
- Access to security people.
- A demonstrated understanding of security threats.
- Results of an open-ended questionnaire.
- Standards and guidance from organizations such as BITS.
- Static analysis results.
We approached how to determine the amout of effort dedicated to vendor control from both sides of the table. On one side, vendors report that their level of involvement in a vendor management program depends entirely on the revenue associated with the deal and the level of effort requested. Some examples serve to clarify this. One vendor volunteered that a $1M deal that was set to close in the current quarter would justify a one hour phone call with the head of product security regarding the firm's software security initiative. Likewise, a $5M deal set to close in the current quarter would allow for an on-site visit by the acquirer. Of course reputation of the customer and importance of its market also plays a role in the level of effort allocated (as does the competition). If the vendor control process is transparent and allows data to be repurposed, it is easier to conform with.
On the other side of the table, acquirers (mostly large financial services firms in our data set) tend to spend upwards of $5M /year on vendor control for third-party software. This number encompasses both software vendors who develop bespoke software for the acquirer based on requirements and commercial software vendors who provide code used in high risk business areas. On average, around 50 employees are allocated to the vendor control effort (usually divided between procurement and the centralized risk office). Most efforts are driven by strict regulatory requirements.
The most commonly used tool applied during vendor control efforts is the human interview. This approach has obvious scalability issues. Web searches, simple online questionnaires, and vendor inventory systems are also used. These tools are thresholded by the financial relationship between the acquirer and the vendor.
In the end, both vendors and acquirers agree that published information about the vendor's SSDL and artifacts that back up various claims are extremely useful. There is some disagreement over whether using the vBSIMM makes sense. Vendors tend not to like it (though some are participating happily) while acquirers favor it. We intend to address this gulf directly as soon as possible.
Group 3, led by Brian, started by listing problems commonly encountered in controlling open source security risk. Problems divide into four areas:
- Inventory: what open source code do we have/use?
- Vulnerability management: how do we find out about vulnerabilities and how do they get patched?
- Risk assessment. (This is related to vulnerability management, but has direct ties to the business interests using the open source software.)
- Risk of creating and publishing open source. (Including both contributing to and maintaining projects.)
There is a distinct difference between ISVs and Financial Services firms when it comes to open source risk. ISVs tend to handle this in legal (with licensing concerns playing a major role) whereas Financial Services firms tend to handle this in the software security group.
Tools used to address open source control include: a repository for approved open source, technology to crawl through major code bases looking for open source (with oft-cited examples being Palamida and Black Duck), purchased access to vulnerability databases maintained by third-parties, and some use of SSDL security tools (especially static analysis) to do direct analysis.
Generally speaking, costs for open source control are not tracked separately from other software security and vendor control efforts. Similarly, any metrics used tend to be the same ones applied to vendor control and or a firm's internal SSDL.
(More thoughts on controlling open source security risk can be found in John Steven's Justice League posting.)
More Transparency Required
One of the great advantages of the BSIMM project is that it provides lots of transparency with regard to what is actually going on in software security initiatives. For the purposes of this article, the BSIMM covers both acquirers and vendors. The more we can learn about actual software security initiatives and the more successfully we can measure them, the better off we'll be at ascertaining third party software security risk.