Last week, at the SANS DFIR Security Summit, my colleague Mike Cioffi and I had the opportunity to dive deep into an often overlooked but critical aspect of cybersecurity: the management of third-party application risks.
During our 30-minute discussion, we aimed to shed light on common challenges and misconceptions surrounding this topic. You can view the full presentation here.
Identifying the Unseen Threats
It’s a tough pill to swallow when someone points out a problem you didn’t know you had. That was our role last week—to be the bearers of inconvenient truths about your API security strategy and third-party landscape. Our goal was not just to spotlight these issues but also to guide the audience toward a strategic approach to managing them effectively.
The Escalating Problem
As organizations increasingly integrate third-party applications, each new connection introduces potential vulnerabilities. Risks such as sensitive data theft, supply chain API attacks, and ungoverned Network Host Interfaces (NHIs) become more prevalent. These threats illustrate the complex web of dependencies and the lack of control that can exacerbate security challenges.
Beyond Shifting Left or Right: Shifting Correctly
Traditional security strategies often emphasize “Shifting Left”—integrating security early in the development process. However, this approach falls short with third-party applications for several reasons:
Lack of access to original source code and control over released versions.
Varying levels of security maturity among different vendors.
Dependency on other third-party components that remain outside vendor control.
On the other hand, “Shifting Right”—which focuses on continuous monitoring and review—alone isn’t sufficient either. Although it’s crucial for identifying and mitigating risks in real-time, it must be part of a more comprehensive strategy.
Shifting Correctly: A Holistic Approach
Our recommended strategy, “Shifting Correctly,” combines proactive and reactive measures to manage third-party applications effectively:
Mapping and Understanding Integrations: Knowing which applications interact and how they are connected is the first step.
Identifying Mission-Critical Applications: Recognizing and prioritizing the security of applications that are crucial to business operations.
Continuous Monitoring: Implementing real-time monitoring across all third-party applications to detect any abnormal activity quickly.
Detailed Risk Assessments and Accountability: Each application’s complexity and business impact must be assessed. Additionally, understanding who owns each API key/token is vital for accountability and security.
Monitoring Overly Permissive Secrets and Sensitive Data Flows: Keeping an eye on how sensitive information is shared between applications and ensuring that access permissions are strictly regulated.
By embracing both proactive and preventive approaches, organizations can significantly reduce Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR), enhancing their overall security posture.
Looking Forward
Our talk was just the beginning. As threats evolve, so too must our strategies to counter them. By understanding and implementing a balanced approach to API security and third-party management, we can safeguard our data and systems more effectively than ever before.