Think about you are contemplating a brand new automotive for your loved ones. Earlier than making a purchase order, you consider its security scores, gas effectivity, and reliability. You would possibly even take it for a take a look at drive to make sure it meets your wants. The identical method needs to be utilized to software program and {hardware} merchandise earlier than integrating them into a company’s surroundings. Simply as you would not purchase a automotive with out realizing its security options, you should not deploy software program with out understanding the dangers it introduces.
The Rising Menace of Provide Chain Assaults
Cybercriminals have acknowledged that as a substitute of attacking a company head-on, they will infiltrate by the software program provide chain—like slipping counterfeit elements into an meeting line. Based on the 2024 Sonatype State of the Software program Provide Chain report, attackers are infiltrating open-source ecosystems at an alarming fee, with over 512,847 malicious packages detected final 12 months alone—a 156% improve from the earlier 12 months. Conventional safety instruments and processes usually miss these threats, leaving organizations unprepared.
One main instance in 2024 was a year-long provide chain assault uncovered within the Python Package deal Index (PyPI). Attackers uploaded malicious packages disguised as reputable AI chatbot instruments, hoping to trick builders into integrating them into their initiatives. These packages contained dangerous code designed to steal delicate knowledge and execute distant instructions on contaminated methods. As a result of PyPI is broadly used throughout numerous industries, this assault had the potential to compromise hundreds of purposes earlier than safety researchers at Kaspersky detected and reported the malicious exercise. This incident highlights how attackers are more and more exploiting trusted repositories to distribute malware, reinforcing the necessity for extra in-depth measures when evaluating software program.
A Palms-On Method to Threat Evaluation: Product Safety Testing
Organizations want a structured and repeatable approach to consider software program and {hardware} dangers earlier than introducing them into their environments. This course of, often called Product Safety Testing (PST), is about answering key questions:
- What dangers does this product introduce to my community?
- Ought to we use this product, or is there a safer different?
- If we use it, what mitigations needs to be put in place to attenuate danger?
PST is not nearly scanning for vulnerabilities—it is about understanding how a product behaves in your particular surroundings and figuring out its general danger affect. Given the huge variety of third-party parts utilized in fashionable IT, it is unrealistic to scrutinize each software program package deal equally. As an alternative, safety groups ought to prioritize their efforts based mostly on enterprise affect and assault floor publicity. Excessive-privilege purposes that steadily talk with exterior companies ought to bear product safety testing, whereas lower-risk purposes may be assessed by automated or much less resource-intensive strategies. Whether or not achieved earlier than deployment or as a retrospective evaluation, a structured method to PST ensures that organizations concentrate on securing probably the most important belongings first whereas sustaining general system integrity.
Studying to Assume Crimson, Act Blue
The SANS SEC568 course is designed to construct sensible expertise in PST. It focuses on black-box testing, a way that simulates real-world situations the place the supply code is not accessible. This makes it extremely relevant for evaluating third-party merchandise that organizations haven’t got direct management over. The course follows the precept of Assume Crimson, Act Blue—by studying offensive techniques, organizations can higher defend in opposition to them.
Whereas Product Safety Testing won’t ever forestall a breach of a 3rd social gathering out of your management, it’s needed to permit organizations to make knowledgeable choices about their defensive posture and response technique. Many organizations comply with a normal strategy of figuring out a necessity, deciding on a product, and deploying it with out a deep safety analysis. This lack of scrutiny can depart them scrambling to find out the affect when a provide chain assault happens.
By incorporating PST into the decision-making course of, safety groups acquire important documentation, together with dependency mapping, menace fashions, and particular mitigations tailor-made to the know-how in use. This proactive method reduces uncertainty, permitting for sooner and more practical responses when vulnerabilities emerge. Quite than relying solely on broad trade mitigations, organizations with PST documentation can implement focused safety controls that decrease danger earlier than a breach even occurs.
Who leverages Product Safety Testing?
No matter job title, having a robust basis in product safety testing results in higher safety posture and preparedness throughout the whole group. Whereas the apparent match is product safety testing groups can leverage these methodologies to guage third-party software program in addition to their very own in-house merchandise – product safety testing is not restricted to at least one particular function. This can be a useful talent set that enhances numerous positions inside a company. Safety auditors can use PST to tailor evaluations to a company’s distinctive dangers and compliance wants, whereas penetration testers can transcend easy vulnerability scans to investigate unknown protocols and proprietary software program. Software builders profit by understanding how attackers exploit safety flaws, serving to them write safer code from the beginning, whereas SOC analysts can use these expertise to detect and mitigate threats launched by new software program and {hardware}. Even decision-makers acquire insights from PST, because it helps them make knowledgeable decisions about danger, safety investments, and mitigation methods. It is essential to do not forget that it is unattainable to detect, mitigate, exploit, or develop what we do not perceive.
To achieve hands-on expertise in product safety testing, take into account attending SEC568 in Orlando from April 13-18, 2024. This coaching will present the technical basis wanted to evaluate software program and {hardware} safety successfully. Identical to taking a automotive for a take a look at drive earlier than buying, making use of a structured method to product safety testing permits organizations to completely perceive potential dangers earlier than deployment. By following a repeatable methodology, safety groups can cut back dangers and be higher ready for future threats.
Notice: This text was expertly written and contributed by Douglas McKee, the Govt Director of Menace Analysis at SonicWall, in addition to the lead writer and teacher for SANS SEC568.
