Third party dependency and mitigating risk

A warm welcome to our newest subscribers - the 80 cyber warriors who joined us last week! 🥳We are delighted to have you as part of our community. Each week, we'll be sharing insights and ideas from the Black Hat MEA community straight to your inbox, including exclusive interviews and key moments from the #BHMEA22 keynote stage. Thank you for subscribing and stay tuned for more!

🌟This week we’re focused on…

Open-source software and the risk of third party dependency.

Why?

Because on the BHMEA podcast, Vandana Verma (Security Relations Leader at Snyk) said:

“Third party dependency is a big risk to an organisation.”

Verma was speaking specifically on the rise in popularity of open-source software, and the particular security issues that come with that.

Any given piece of software or code comes with a list of Common Vulnerability Exposure (CVE) scores, which publicly disclose the known security flaws in that software.

“It’s not just one risk,” Verma noted, “it’s multiple risks associated with it. If you go deep down into each list there are multiple CVE scores that have been assigned to it. Hundreds and hundreds of CVEs associated with one vulnerability. So it’s something which is very key in the industry.”

But accessing known CVEs is only one piece of the puzzle when it comes to securing open-source systems.

When so much is open-source, third party dependencies are a big deal 🌐

“Now we have 80% to 90% of code on the internet which is open-source. That’s a huge amount of code.”

There are platforms available that can help build secure infrastructure around that code – but it’s not enough to put a system in place and then leave it. And everyone implementing third party code needs to take responsibility for the code and tools they deploy.

How can you secure a system with multiple third party dependencies?

“We need to track them,” said Verma.

OWASP Dependency Check is one of the tools she recommended to help with this – it can increase supply chain security by inspecting project dependencies, collecting information about those dependencies, and then matching project content with associated CVEs in a detailed report.

“If we keep our systems up to date, if we keep our third party dependencies up to date, we can actually remove half of the issues that are there in the industry right now.”

Track everything and stay up to date🧐

Verma said:

“In a house we have certain windows, we have certain back doors — we should know what doors we have, where thieves can come in. And if we lock all our doors, how many windows do we have? If we go out, all these windows should be closed.”

So every entry point to the house should be known. Any new entry points must be tracked.

Essentially, this means a database of all the possible vulnerabilities in an environment – built out with every vendor associated with each vulnerability, and every version of each vendor’s product, and when it was last updated.

Track everything – so you know what to do if something goes wrong. And you know which pieces of your third party puzzle need to be replaced with an alternative solution when something stops working as it should.

Learn more from Vandana Verma at Black Hat MEA 2023 📣

Alongside her work at Snyk, Verma is part of the OWASP Global Board of Directors, and leads diversity initiatives including InfosecGirls and WoSec. She’s currently pursuing a PhD in Cybersecurity, and she’s a member of the Black Hat Asia Review Board.

If you want to learn more, register now to attend Black Hat MEA 2023. We’d love to see you there.

Have you ever experienced a security breach or vulnerability due to third-party dependencies?

1. Yes 😟 vote

2. No 🤓 vote

We value your input!  if you have an idea for a topic you'd like us to cover in our next newsletter. Drop us a message and share your ideas! Our next newsletter is scheduled for 5 July 2023.

Catch you next week,
Steve Durning
Exhibition Director