Third-party code putting companies at risk

A composite of the GNU logo and the OSI logo, ...
Image via Wikipedia

This opens:

The use of third-party code in applications represents a big security
risk for companies, according to a study from security vendor Veracode.

but they go on in such a way as to make me wonder what they mean by ‘third party’. Some of what they discuss seems to come from the primary supplier. Now if the primary supplier contracted out work, how are you to know?

Companies often use code libraries that have been developed from either
open-source projects or outsourcing organizations that have been
contracted to create applications…

I wouldn’t be so quick to disparage open source projects. Some of them have demonstrated much better code quality, much better reliability and security than commercial products from first-tier vendors.

Variable quality“? Well yes, but that goes for the products from first tier vendors. “Ship at the end of the month regardless”. Yes, I’ve seen that. “Release to satisfy the investors/wall street”. I’ve seen that too. Open Source doesn’t have those constraints.

The problem is exemplified by Twitter, which saw a cross-site scripting
flaw exploited on its site on Tuesday. The third-party code enabled a
JavaScript function called “onmouseover,” Steer said. The command can
trigger activity such as a pop-up box appearing, but could also be
manipulated with the flaw to redirect a user to a malicious Web site.

If I recall correctly, “mouseover” is a function built into the browser.
Do we count the browser as a second or a third party product? If I’m using Windows and Firefox, does Firefox count as a third party product? Do plug-ins count as fourth party products? What does mobile code that is embedded in a web page I access counts as?

If we want to be critical, what does the microcode in my cpu which interprets the op-codes of the compiled program that interprets the byte code of the dynamically compiled script language count as?

This means that companies should be wary of code that hasn’t been
developed internally.

Therein lies madness. This is fine if you are a Big Name Company with plenty of resources to address such risks by having test centres and experienced staff who have the time and resources to hammer away and find the flaws, and the organizational clout to get the suppliers of the
code to kow-tow to you and aggressively work on remediation rather than revenue-positive issues like developing and shipping new product.

But “The Rest of Us” just have to trust. If we’re smart we read the relevant press and announcements, we employ basic prudent good security principles to contain the results of a flaw. We hire experienced professionals to install and administer our systems, not the teen-age son of the high-street vendor we, as a SMB, bought the systems from.

But despite the disparaging opening tone of the article, it ends with good news:

Steer said companies are taking only about 16 days to fix problems
in their code compared to more than 50 days previously. Third-party
suppliers moved even faster.

“Most third-party assessed suppliers also remediated faster than
applications on average, with three-quarters of all applications
requiring only 11 days to achieve acceptable levels of security quality,”

So the good news is that you should use third party suppliers. Does that mean use them in preference to second party, or in many cases doing it yourself? Perhaps. There’s evidence that properly chosen open source such as the Apache web server and its various support add-ons is
more reliable commercial products. I’m biased, but as a secure platform I’d choose the NSA SELinux or even the secure version of BSD over not just Microsoft Windows but if the hardware constraints allowed, over Solaris and HP/UX and possibly AIX as well.

“Quality is such an attractive banner that sometimes we think we can get
away with just waving it, without doing the hard work necessary to
achieve it. — Miles Maguire.

Enhanced by Zemanta

About the author

Security Evangelist

Leave a Reply