Imagine you are considering a new car for your family. Before purchasing, we will assess its safety rating, fuel efficiency and reliability. You may take it to a test drive to ensure it meets your needs. The same approach must be applied to software and hardware products before integration into your organization’s environment. To avoid purchasing a car without knowing its safety features, you should not deploy software without understanding the risks of implementing it.
Rising threat of supply chain attacks
Instead of attacking an organization head-on, cybercriminals know that they can infiltrate the software supply chain, such as sliding counterfeit parts onto the assembly line. According to the 2024 Sonatype State in Software Supply Chain Report, attackers discovered more than 512,847 malicious packages last year alone, with over 512,847 malicious packages infiltrating at an astonishing rate, up 156% from the previous year. It’s there. Traditional security tools and processes often overlook these threats and organizations are not ready.
One of the main examples of 2024 was a year-long supply chain attack discovered in the Python package index (PYPI). The attacker wants to upload a malicious package disguised as a legitimate AI chatbot tool and integrate the developer into the project to integrate the developer. These packages contained harmful code designed to steal sensitive data and execute remote commands on infected systems. Because Pypi is widely used in a variety of industries, the attack could compromise thousands of applications before Kaspersky’s security researchers could detect and report malicious activity. This incident highlights that attackers are increasingly utilizing trusted repositories to distribute malware, and reinforces the need for additional detailed measurements when evaluating software.
A practical approach to risk assessment: product security testing
Organizations need structured, iterative methods for deployment into their environment before assessing software and hardware risks. Known as product security testing (PST), this process is answering key questions.
What risks does this product pose to my network? Do I need to use this product or is there a safer alternative? If used, what mitigation should be made to minimize risk?
PST is more than just scanning for vulnerabilities. Understand how your product works in a particular environment and determine the impact of the overall risk. Given the large number of third-party components used in Modern IT, it is unrealistic to scrutinise all software packages equally. Instead, security teams should prioritize their efforts based on business impact and surface exposure of attacks. Highly useful applications that frequently communicate with external services must undergo product security testing, while low-risk applications can be evaluated via automated, resource-intensive methods. Whether pre-development or as a retrospective analysis, a structured approach to PST allows organizations to focus on protecting their most important assets first, while maintaining the integrity of the entire system. It is guaranteed to hit.
Learn to think about red and act blue
The SANS SEC568 course is designed to build practical skills on PST. This focuses on black box testing, which is a way to simulate real conditions where source code is not available. This makes it highly applicable to valuing third-party products that the organization cannot directly control. This course follows Think Red, Act Blue principles. Learning offensive tactics will help organizations to defend better.
Product security testing never prevents violations of third party controls, but it must allow organizations to make informed decisions about their defensive attitudes and response strategies. Many organizations follow a standard process of identifying needs, selecting products and deploying without deep security assessments. This lack of scrutiny can cause scrambling to determine the impact of a supply chain attack.
By incorporating PST into your decision-making process, security teams acquire important documents, including dependency mapping, threat models, and specific mitigation tailored to the technology they are using. This aggressive approach reduces uncertainty and allows for faster and more effective responses when vulnerabilities appear. Rather than relying solely on mitigation across a wide range of industry, organizations with PST documents can implement target security controls that minimize risk before a violation occurs.
Who is taking advantage of product security testing?
Regardless of your position, having a strong foundation for product security testing improves the security attitude and preparation of your entire organization. The obvious conformance is that a product security test team can leverage these methodologies to evaluate third-party software as well as their own internal products, but product security tests are not limited to specific roles. This is a valuable skill set that strengthens various positions within your organization. Security auditors can use PST to tailor assessments to an organization’s own risk and compliance needs, while intrusion testers can go beyond simple vulnerability scans to analyze unknown protocols and proprietary software . Application developers benefit from helping attackers leverage security flaws and write more secure code from the start, but SOC analysts use these skills. It can detect and mitigate threats introduced by new software and hardware. Even decision makers can gain insights from PST. This is because it helps you make informed choices about risk, security investments, and mitigation strategies. It is important to remember that it is impossible to detect, mitigate, misuse, or develop things that we do not understand.
To gain hands-on experience in product security testing, consider joining Orlando SEC568 from April 13-18, 2024. This training provides the technical foundation needed to effectively assess software and hardware security. Applying a structured approach to product security testing, just like riding a car for a test drive before purchasing, enables organizations to fully understand the potential risks before deployment. Masu. By following a repeatable methodology, security teams can reduce risks and prepare them for future threats.
Note: This article was skillfully written and contributed by Douglas McKee, executive director of threat research at SonicWall, and the lead author and instructor of SANS SEC568.
Source link
