Filed under: IIS & HTTP
The volatility in the current environment requires organizations to react very quickly to the changing business landscape. Consequently, this has to be done not only with speed but also under severe cost pressures. More and more IT teams are adopting third party packaged solutions as their answer to the challenge of providing quick solutions to business, as building proprietary solutions often satisfy neither time or budgetary requirements.
This trend is growing fast in all organizations. Business are signing strategic IT sourcing deals whereby they hand over the entire IT support to an external vendor, placing the vendor with the responsibility for infrastructure and personnel. Or, they are moving to outsourcing model where they buy and customize solutions from a third party vendor for their automation needs.
To cash-in on this trend, some IT consulting companies have built products which they customize according to the client’s requirements and implement them onsite. In this process the one piece that gets neglected the most is security.
Most organizations don’t have processes or checks in place to ensure the third party code is implemented securely. In our experience, while testing applications which have been provided by third party vendors experiencing security flaws, we have seen vulnerabilities that could have been easily exploited by the attackers to access highly confidential personal and financial data.
The story is no different in other verticals. In December 2012, an Egyptian hacker breached Yahoo!’s security systems and acquired full access to Yahoo! Database server. The SQLi attack was carried out on a Yahoo! Web application, which was a third party application.
So how can organizations protect against this? We mooted the idea of conducting regular Security Assessment to some of the firms who have many products. But given that there is extensive customization done of these products at the time of implementation, the best practice is to perform a periodic code review of the code deployed at the client end.
The argument against this is that very often clients feel helpless that they will not receive access to the code. Recently, though, there have been cases where clients have been able to get the vendors to agree to access to code for security code review. But no matter what, when deploying or integrating a third party application, ensure that you perform proper security checks and don’t just deploy the quickest and cheapest solution. Remember, you’re only as secure as your weakest link.
No Comments »