Enterprise Business - Checklist to verify your Software Vendors

 Introduction 

Businesses cannot run without software, So every business in the wild is vulnerable to Cyber Attacks. It is important to know your Vendor, similar to how you are protecting your infrastructure. A Software product supplied by a vendor can expose significant Attack Surfaces to the wild. This is the classic Supply Chain Attack. How can Enterprises make sure the vendors are maintaining their software vendors and products are secured against Hackers. This post can help you check the list and maintain the integrity of your environment. 


Know Your Vendor

"Know Your Vendor" is a right to every customer who are using the Vendor's product. You can ask any number of questions and then decide on a Vendor. I herewith summarize the following points which I have seen customers asking me before installing our products and also from my own experience. 

  • What level of Permission does the Software take to run on the system.
    • root/SYSTEM privileges shouldn't be given unless absolutely required
  • Does the software has access to your Active Directory
  • What Database version is the software using, is it installed in your environment
  • Where are the credentials getting stored. Are they encrypted 
  • Does the software needs credentials of the users. If so why (avoid this step)
  • How many Process will the software start 
  • Will the software open any new port. 
  • If it's a cloud to on-premise communication, the communication should be vice-versa. It should be from Installed product to the cloud environment.
  • How frequently will the software update their software
  • What is the Encryption Standard in use 
  • Are the data encrypted 
  • Get the Pentest Report for the product in last 6 months 
  • Do they run SAST, DAST against the product. (IAST is optional)
  • How the code review happens
  • How the Build Process takes place. 
  • From Code pushing to Build Generation to Static endpoint, every point should be automated and no manual intervention should happen
  • Is Command Execution Supported as a feature 
  • What are the software bundles getting downloaded
  • Don't allow downloading of fat softwares(components which are not used). Check with the Vendor and get a lean version of software (only the bundles which are absolutely necessary). - This will be given as per request 

Conclusion

Enterprise Business software are ruling the world but it's absolutely important to know what is right and wrong for your Enterprise. Have this checklist filled by your vendor. Check for the recent CVEs found on the product. If there are too many, then be doubtful of the product being used. Make sure, the data obtained will not be used for any other purposes. Take "Assume Breach" approach to choosing software vendor. The software can be compromised by Attackers, and if being attacked and compromised, is your environment safe and resilient. Check this and stay safe.

Comments

Post a Comment

Popular posts from this blog

Security Score Card using Nuclei Automation

Image
  Introduction Nuclei by Project Discovery is a great tool for automation, and I've started using the tool for automated scanning of vulnerabilities and for automated regression testing. I find it very useful in adding customized templates and get accurate results. Now for a complete automation, I've written python wrapper around my nuclei test cases and added the python script to the crontab. It may not be possible to automate 0-days, but once it is a 1-day, you should have an automation to check for the vulnerability, else someone else will find it. The Idea of Score Card: Everything works great, and my target is a fixed set of around 600 servers. I had an idea to build an executive level dashboard, that can calculate a score based on the results of the automation. So, I started to build a score-card using Site24x7,  The Logic: The logic is a weighted sum of the categories of issues found.  For example in a given scenario, Severity Score High 60  Medium 30  Low 10  The formul
Read more

Extracting Dynamic Values from Multiple Requests in a Nuclei Template

Introduction We are using Nuclei for all the Security Automation tasks. We create a lot of custom templates to automate custom Authenticated APIs. A major challenge that we faced in automating this is dependence on dynamic variables. Site24x7's APIs have various dynamic entities that are dependent on other APIs for data. You can find Site24x7 Rest API reference.  Problem Statement Let's take this example for this blog. To automate monitor addition in Site24x7, we need to call a POST API "https://www.site24x7.com/api/monitors" with some body content. But, the problem is body content has so many dependencies which are dependent on other APIs. For example to call the above api, we need threshold_profile, notification_profile, user_group_id. So, to get these three values, we have to call the three apis sequentially extract the ids and pass it on to the Monitor Addition API. Nuclei Extractors https://nuclei.projectdiscovery.io/templating-guide/operators/extractors/ To ac
Read more

How I used Nuclei to Automate Basic Security Checks

 Nuclei by Project Discovery Nuclei is an automation tool built by Project Discovery. The tool is open source and has various CVE Templates bundled with it. Also, the templates are updated on a regular basis. You can also create a customized template for your needs.    Why I chose Nuclei as a DAST tool? I've been doing Product Security Testing for one of my targets. We have found various categories of bugs manually, and considering the fact that the product is a growing one and the same bug may pop-out again, we have decided to automate the security cases that we have found earlier. The tools that I considered are Burp, ZAP automation, and later I got to know about Nuclei.  I'm using the free version of Burp and it doesn't support automation, otherwise an excellent tool. ZAP is an open source tool, and it has so many options available but I feel it to be little complicated and find it difficult to use on a regular basis.  On surfing Twitter and YouTube, I got to know about
Read more