Using Third Party Apps? Make sure they are secure!

Posted: August 18th, 2013
Filed under: IIS & HTTP


Business today cannot ignore varied creative spaces for marketing their offerings. And this is exactly the reason for a tremendous rise in third party applications, be it standalone programs or small plugins that add functionality. This is a departure from the previous paradigm of companies depending heavily upon enterprise software providers and a few others for all their applications.

Organizations now want to have a go at everything, which seems more convenient and helps them network. Employees can’t seem to live without social networking applications like Facebook, LinkedIn, Twitter, and various other applications offered by 3rd party providers making them essential for today’s business. According to mobile market research and consultancy firm research2guidance, the market for app development services, including application creation, management, distribution and extension services, will grow in to $100 billion in 2015.

Although these applications and social networks are primarily intended for consumer use, companies are increasingly recognizing their business benefits. This creates a unique challenge for the IT department. In addition to the benefits, they can negatively impact productivity, network bandwidth, users’ privacy, data security and the integrity of IT systems (via malware and application vulnerabilities). A lot of these applications come with severe vulnerabilities and exposing business and personal data to them poses a high security risk. Previously, only malware was a major threat. But today, about 75% of cyber attacks happen due to vulnerabilities in third-party applications. General perception amongst companies is that by investing in patch management, and  by patching third party applications, they will be safe. But there is more to it than just patch management.

During our network and application audits, we have observed that such patching devices, even if implemented and configured, fail to ensure 100% patch management. Also enterprises are always at the mercy of third-party vendors for patching the flaws and preventing a software exploit. In some cases, the patches are released months after a flaw has been detected. And in the meantime new flaws emerge. In order to be secure, 3rd party applications should be managed more proactively.

Some do’s and don’ts for third party apps:

•Depending upon risk, companies should define and offer selective usage of these applications.

•Frequent security audits of all 3rd Party applications should be implemented. A good practice would be to incorporate a mandatory requirement of security audit certificate in application procurement tender. This would enforce software product companies to implement secure coding practices and get audited from an independent security firm.

•Only implementing an automated patch management system will not help the cause. There has to be a team of knowledgeable people managing this system and ensuring patch adherence.

•It is advisable to implement two-factor authentication for 3rd party applications. Twofactor authentication that uses out-of-band authentication such as a PIN sent to a smart phone, does require a hacker to go to extensive lengths to beat it, and so adds an additional layer of protection.

•Conduct security awareness trainings for business users, application IT teams and Infosec teams at regular intervals to educate and sensitize teams on ongoing attack trends and how they can prevent them.

•Finally, even employees can ensure secure and safe usage by practicing a few things like using different passwords for their personal and business accounts and regularly changing them. Define privacy settings in all social media applications such that personal information is not exposed. Immediately revoke access to third party applications if employees sense anything fishy in their accounts. These are small steps, but can go a long in ensuring safe and secure usage!

-Hardik Kothari, Business Development, Net-Square Solutions

 

No Comments »

Leave a Reply