Today's complex and connected supply chain translates into quick communication with partners. At the same time, it creates huge opportunity for data leakage and security issues that need to be addressed proactively in supply chain systems.
"Every enterprise is connected in some way to its partners in the supply chain and must allow access to communicate back and forth," Bala Venkat, chief marketing officer at the applications security vendor Cenzic, told us. "That exposes third-party applications. Unfortunately, we see a high level of confusion about what application security is. Too often, it gets confused with network layer or secure socket layer security. "
Partners in the supply chain may serve as a back door to a desired target. "Hackers often try to find the weakest link of the network they want to attack," Venkat said. "Connection-related attacks are becoming increasingly popular, so it's become very compelling to solve."
The answer, then, is a proactive look at the security of supply chain software being used by the organization and its partners. "You simply can't tell a partner that you can't connect with their systems, but you can ask for independent verification that the applications in question are free from all the possible vulnerabilities that exist."
Today, Cenzic introduced its Partner Application Security Certification Testing Program, which offers this type of certification. The Cenzic Partner-Application Security Scanning (Cenzic PASS) service uses a combination of consulting and cloud-based vulnerability scanning-as-a-service to test and certify integrated applications. Venkat said it can identify and help remediate more than 6,000 vulnerabilities.
Knowing how to launch a process around application security can be daunting. However, Venkat recommends a three-step assessment process.
- Define the security standards: Understand what applications are being used to connect partners across the supply chain. What standards do they meet? What level of vulnerability scanning is needed? Financial, logistics, and accounting applications, for example, are likely targets and should be rigorously protected. "As part of step one, there needs to be an automated workflow, so application owners are guided through the process of managing associated applications."
- Ask partners to take responsibility for scanning their apps: After classifying applications as high, medium, or low risk, partners should scan each one for security holes and remediate them.
- Appoint an administrator to monitor and manage app certification: Since software is constantly upgraded and updated, someone has to monitor and verify that all critical applications are being secured. "This person would monitor the dashboard report on what applications are certified and which have not."
Too often, application security becomes a reactive activity; it takes center stage only after a breach has occurred. "In trying to improve margins and optimize cost, supply chains often overlook security programs."
Let us know how your organization is tackling application security with its partners.
— Hailey Lynne McKeefry, , EBN