Advertisement

Blog

Building App Layer Security Into the Supply Chain

Today's complex and connected supply chain translates into quick communication with partners. At the same time, it creates huge opportunity for data leakage and security issues that need to be addressed proactively in supply chain systems.

“Every enterprise is connected in some way to its partners in the supply chain and must allow access to communicate back and forth,” Bala Venkat, chief marketing officer at the applications security vendor Cenzic, told us. “That exposes third-party applications. Unfortunately, we see a high level of confusion about what application security is. Too often, it gets confused with network layer or secure socket layer security. “

Partners in the supply chain may serve as a back door to a desired target. “Hackers often try to find the weakest link of the network they want to attack,” Venkat said. “Connection-related attacks are becoming increasingly popular, so it's become very compelling to solve.”

Today, the electronics supply chain faces a daunting number of potential security flaws, including form caching issues, JavaScript vulnerabilities, SQL injection attacks, and web server configuration vulnerabilities. Each makes critical information, from product designs to price lists, vulnerable to attack. The rise of mobile supply chain apps will only increase the potential application vulnerabilities of the supply chain.

The answer, then, is a proactive look at the security of supply chain software being used by the organization and its partners. “You simply can't tell a partner that you can't connect with their systems, but you can ask for independent verification that the applications in question are free from all the possible vulnerabilities that exist.”

Today, Cenzic introduced its Partner Application Security Certification Testing Program, which offers this type of certification. The Cenzic Partner-Application Security Scanning (Cenzic PASS) service uses a combination of consulting and cloud-based vulnerability scanning-as-a-service to test and certify integrated applications. Venkat said it can identify and help remediate more than 6,000 vulnerabilities.

Knowing how to launch a process around application security can be daunting. However, Venkat recommends a three-step assessment process.

  1. Define the security standards : Understand what applications are being used to connect partners across the supply chain. What standards do they meet? What level of vulnerability scanning is needed? Financial, logistics, and accounting applications, for example, are likely targets and should be rigorously protected. “As part of step one, there needs to be an automated workflow, so application owners are guided through the process of managing associated applications.”
  2. Ask partners to take responsibility for scanning their apps : After classifying applications as high, medium, or low risk, partners should scan each one for security holes and remediate them.
  3. Appoint an administrator to monitor and manage app certification : Since software is constantly upgraded and updated, someone has to monitor and verify that all critical applications are being secured. “This person would monitor the dashboard report on what applications are certified and which have not.”

Too often, application security becomes a reactive activity; it takes center stage only after a breach has occurred. “In trying to improve margins and optimize cost, supply chains often overlook security programs.”

Let us know how your organization is tackling application security with its partners.

— Hailey Lynne McKeefry, Circle me on Google+ Follow me on Twitter Visit my LinkedIn page Friend me on Facebook , EBN

Related posts:

15 comments on “Building App Layer Security Into the Supply Chain

  1. Hailey Lynne McKeefry
    February 24, 2014

    It's interesting to note that we haven't gotten very far in terms of addressing basic applicaiton security. OWASP recently put out its update of the top ten securiyt holes in apps, updated after three  years, and the list was the same–no problem had been eradicated. Some had gotten slighly more or less common: Category:OWASP Top Ten Project – OWASP

     

  2. Anand
    February 26, 2014

    The electronic supply chain is huge. For inventory controlling, it uses a number of logistics based softwares from third party developers. If somehow the information of the inventory gets leaked, there might be a huge loss and competitors, who are constantly employing unethical means to know the other companies' secrets, would be at a huge profit. Thus to prevent this, there must be increased level of security on the software. This problem can be managed by using the software of trusted third party developers, who have a growing reputation in market.

  3. Anand
    February 26, 2014

    Defining security standards would also be a nice way of managing, but tracing the whole supply chain security to a couple of points (i.e. standardizations) is next to impossible. Too much security would increase the costs of operation.

  4. Hailey Lynne McKeefry
    February 26, 2014

    @anandvy, the nature of the threats are evolving as well. Today, we have nationstate actors as well as financially motived hackers.  The first is looking for information that can be leveraged for political gain, and the second is looking for data that can be monetized and systems that can be leveraged for activities that can be monetized. Adding to the complexity is that hackers are now selling exploits as a service so now there are a broadening number of hackers that are buying the ability to take down the competition. clearly, security is only going to get more important to the supply chain.

  5. Hailey Lynne McKeefry
    February 26, 2014

    @anandvy, there's always a balance between cost of security and the level of risk. Smart organizations. Smart organizations create a list of potental threats/risks and start at the efforts that bring the biggest impact. Further, supply chain leaders need to create security policies that are pushed out to every partner that accesses any system. These policies need to be audited regularly. It's not an easy task at all.

  6. Ashu001
    February 27, 2014

    Hailey,

    While I agree with this Statement in Totality;I really wonder about who will be the Organization who foots the Bill for this Full Security Blanket so to speak.

    At a time of Plunging CAPEX globally,Spending on Supply Chain(including App Layer Security) is going to see big Falls.

    In such an enviroment;Companies will constantly be stuck trying to do more with Less and less.

    Not the right recipe for action.

  7. Ashu001
    February 27, 2014

    Hailey,

    Nation-State Actors are a serious-Serious Problem here.

    Richard Clarke has some very interesting perspectives to share on this issue with all of us.

    http://searchsecurity.techtarget.com/news/2240214986/Richard-Clarke-NSA-revelations-show-potential-for-police-state

    We definitely do risk becoming a Stasi/Police State today.

     

  8. Ashu001
    February 27, 2014

     

    Hailey,

    When one reads articles like this one on CIO Magazine it really raises a major sense of Concern/Alarm.

     

    http://www.cio.com/article/748604/6_Out_of_10_Android_Apps_a_Security_Concern

    What is one supposed to do here?

    Make your entire Supply Chain so that it is based on Apple Devices?

    But then that would raise Costs Dramatically across your Entire Supply Chain(thus defeating the very purpose of the Supply Chain).

    And even that approach is not 100% safe either.

    http://www.itworld.com/security/406739/new-ios-flaw-allows-malicious-apps-record-touch-screen-presses

    http://www.reuters.com/article/2014/02/22/us-apple-flaw-idUSBREA1L01Y20140222

     

    The approach I prefer is to go for a White-listing Approach For Apps ,where only a few Control approved Apps are allowed onto Enterprise Devices.

    And No BYOD won't cut it in this Enterprise.

     

  9. Ashu001
    February 27, 2014

    Hailey,

    I have to agree.

    That is the way these things are working today.

    And there is a reason for that.

    Most Major Threats today are just Blended Threats(either that or iterations of basic Threats which are very well chronicled in the OWASP list).

    In a way its bad for Security Research Innovation(No cutting edge threats to talk about);but in  a way its Good for the Defenders to keep the bad guys out.

  10. Hailey Lynne McKeefry
    February 28, 2014

    @Tech4People, certainly no organization has tbe budget fo total security. First, it's not an acheivable goal, second it is a moving target, and third to try woudl be prohibiively expensive. However, the headlines are full of examples of hugely expsensive security breaches. THink about Target just recently.  Especially for a data breach, it can run to millions and billions of dollars. It's a hard line to toe–no organization has the money to really do it, but no organization can really afford not to do it. It finally comes down to identifying and mitigaging the biggest risks.

  11. Hailey Lynne McKeefry
    February 28, 2014

    @Tech4People. Don't fool yourself… Apple, Android, etc. All mobile platforms and every OS has its risks. Building awareness helps. key things to remember:

    1) Patch early, patch often

    2) do regular scurity training with employees and supply chain patners

    3) Focus on a combination of closing security holes and having clear mandates around how to handle the inevitable security issue.

  12. Ashu001
    February 28, 2014

    Hailey,

    Those are very fair statements to make regarding Mobile OSes and Smartphones in General.

    Just saying from past experience here,that while the Android OS is much more Secure than the iOS Platform[because vulnerabilities are patched much faster here at the OS Level];at the App Level Apple is definitely much more secure.

    That has a lot to do with the fact that Android OS platform has seen more Widespread adoption than Apple's iOS and also the fact that Google has purposely left the Bar much lower when it comes to App Security than Apple(because they want to encourage as many Developers to develop for Android as possible).

    I prefer the Whitelisting Approach where you can shortlist what kind of Apps you are comfortable permitting in your Enterprise(after a Full-scale Audit of those Apps by your Software Team);especially for Business Critical Functions.

    Here's a Good MDM Audit List-Courtesy of Code42

    http://docs.media.bitpipe.com/io_11x/io_110848/item_734110/ClientManagementChecklist.pdf

     

  13. Ashu001
    February 28, 2014

    Hailey,

    Its interesting that you brought up the fascinating case of the Target Data Breach.

    It had more to do with the fact that they were using unpatched Versions of XP for their Card Terminals.

    And these Terminals also had Internet Access!

    That's asking for a lot of trouble.

    Hence they got breached in a big-big way!

  14. Hailey Lynne McKeefry
    February 28, 2014

    Whitelisting is definitely a good approach…always better to let in known good than to keep out known bad.

    Your points about Android are well taken–People assume that because an app is in the App Store of Apple that it is vetted…and that's not at all true. At least not in terms of security.

  15. Ashu001
    March 3, 2014

    Hailey,

    Absolutely!

    You can't simply trust that the App Store will Screen out all the Malicious Apps on its own.

    If you run your own company's IT Network you have to screen the Apps which you permit on the Network.

    If you don't do such Audits you are asking for Trouble Many Times over!

    I remember an App which made Headlines last year(in Security world) for its Unique Ability to disguise itself in the iphone App store during Screening time and then reveal its nefarious Characteristics only later on[Iphone screens the Apps in the App Store only once at Time of Application;not repeatedly].

    It was beyond fascinating & Scary[From a Security Practicioner Point of View].

    If you use your Apps for Financial Services Access online you have to be Doubly Careful-Like this one from Bank of America today

    http://www.itworld.com/business/407383/be-scared-bank-americas-iphone-app-be-very-very-scared

    Not surprising that more research has to be done here before we allow many more apps in the Enterprise today.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.