Published on October 29, 2023, 9:40 pm
In today’s digital economy, businesses rely heavily on third-party organizations for various functions and operations. Whether it’s manufacturing, retail, finance, or government services, partnerships and networks are essential for creating and delivering products and services. While these collaborations offer advantages in terms of economies of scale, they also introduce risks to the business.
A prime example of this is Toyota, a Japanese automaker that experienced a major setback due to a data breach suffered by one of its key suppliers, Kojima Industries. As a result, Toyota had to shut down its operations temporarily and incurred significant financial and operational losses. This incident highlights the vulnerability that arises when external parties have remote access to critical systems.
The risks associated with third-party dependence are not limited to physical suppliers but extend to technology providers as well. SolarWinds and Kaseya are two trusted names in their respective industries; however, when they experienced breaches, the impact cascaded down to their customers.
Given these challenges, how can businesses protect themselves from threats beyond their control? Siddharth Deshpande, field CTO for the Asia-Pacific region at Palo Alto Networks, offers insights into securing third-party applications.
Deshpande points out that most modern business applications are not developed from scratch but rather assembled using various elements of third-party code. These code components represent dependencies that can introduce risks since they come from an external environment. Organisations cannot always regulate what code components end up in their software pipelines.
To address this issue, Deshpande suggests taking a security-first approach throughout the application development lifecycle. By integrating security measures into the entire Continuous Integration/Continuous Development (CICD) process, businesses can engage in digital operations while maintaining an acceptable risk posture.
He emphasizes the importance of considering infrastructure as code (IaC) in supply chain protection strategies. A small misconfiguration in IaC templates can lead to excessive risks during production. To mitigate this, Deshpande suggests utilizing security labs to embed security practices into the infrastructure coding process. Developers can receive specific recommendations for addressing misconfigurations as they commit IaC templates.
Code security plays a crucial role in preventing vulnerabilities and compliance violations that arise due to the increased use of container images. Deshpande recommends continuous container vulnerability scanning throughout the code and build phases, as well as during runtime. Integrating pre-deployment scans with runtime scans allows businesses to link discovered vulnerabilities and ensures a robust container security approach.
Policy as code is another key consideration for organizations looking to enforce policies effectively throughout their development workflows. Deshpande highlights the importance of providing developers with tools for implementing policies within their coding environments. This automation streamlines the enforcement of security policies at the code level, eliminating manual processes.
Building confidence in open-source security requires a holistic approach from the industry. Alongside raising awareness, it’s crucial to integrate CICD lifecycles effectively with existing development tools. This integration enables organizations to maintain visibility over security measures from application development through production.
When it comes to securing third-party applications, Deshpande advises CIOs, CSOs, and CTOs to drive organizational cultural awareness from top-level management. It is essential to understand the mechanisms through which third parties interact with infrastructure and the associated risks. By adopting appropriate cloud security platforms or Cloud-Native Application Protection Platforms (CNAAP), organizations can facilitate cultural changes necessary for protecting against third-party risks.
In summary, securing third-party applications is critical in today’s digital landscape. Businesses must be proactive in mitigating risks by implementing robust security measures throughout their supply chains and application development lifecycles. By doing so, they can safeguard their operations and preserve trust among stakeholders.
To gain further insights on this topic, you can listen to Siddharth Deshpande’s conversation on PodChats for FutureCIO discussing third-party app security risks and strategies to protect enterprises from such risks.
(Note: This article is an independent analysis of the original source. For more details, please refer to the article titled “PodChats for FutureCIO: Securing third-party apps” on FutureCIO.)