Imagine you are considering a new car for your family. Before making a purchase, you evaluate its safety ratings, fuel efficiency and reliability. You can even take it on the test drive to make sure it meets your needs. The same approach should be applied to software and hardware before integrating them in the organization. Just as you don’t buy a car without knowing its security features, you don’t have to expand the software without understanding the risks it introduces.
Growth threatening network attacks
CyberCriminals have acknowledged that instead of attacking the organization, they can penetrate through the software supply chain-like sliding fake parts into the national team. According to 2024 Sleat Status Report on Software supply chainThe attackers penetrate the ecosystem with an open source with an alarming speed, with more than 512 847 malicious packages discovered only last year-on 156% more than last year. Traditional tools and security processes often miss these threats, leaving the organizations unprepared.
One major examples of 2024 became a perennial supply attack found in the Python package index (PYPI). The attackers loaded malicious packages, disguised as legitimate tools of AI Chatbot, hoping to deceive developers into their projects. These packages contained a harmful code designed for the theft of sensitive data and executing remote commands in infected systems. Because Pypi is widely used in various fields, this attack had the potential for compromise thousands of applications to security researchers in Caspersorsky Found and reported harmful activity. This incident emphasizes how the attackers are increasingly operating reliable storage facilities to distribute malware, enhancing the need for additional in -depth measures when assessing the software.
Practical approach to risk assessment: Product safety testing
Organizations need a structured and repetitive way to evaluate software and equipment before entering them into their environment. This process known as product safety test (PST). consist in answering key questions:
- What are the risks to enter this product on my network?
- Should this product be used, is there a safer alternative?
- If we use it, what softening should be introduced to minimize the risk?
PST is not just about scanning the vulnerabilities – it is an understanding of how the product behaves in your specific setting and determine its overall risk. Given the large number of components of other manufacturers used in modern IT, it is unrealistic to study each program package equally. Instead, security groups should prioritize their efforts based on business and surface impact. High -privilege applications that often communicate with external services must undergo product safety testing, while applications with less risk can be assessed by automated or less intense resources. Let it be done before the deployment or as a retrospective analysis, a structured approach to PST guarantees that organizations focus on providing the most important assets first while maintaining the common integrity of the system.
Learn to think red, act blue
A SANS SEC568 Course Designed to create practical skills in PST. It is focused on the black box testing, a method that mimics the conditions of the real world when the source code is unavailable. This makes it very suitable for estimating third -person products that the organization does not have direct control. The course follows from the principle of thought of red, Act Blue – studying offensive tactics, organizations can better defend against them.
While the safety of products never prevent a third -person violation of -control, it is necessary to allow organizations to make reasonable decisions about their defensive posture and response strategy. Many organizations adhere to the standard process of identifying the need, product selection and deployment without a deep safety assessment. This lack of control can leave them to determine the impact when the supply chain is attacking.
By incorporating the PST into the decision -making process, security groups receive critical documentation, including reflection of dependence, threatening models and specific softening, taking into account the technology used. This active approach reduces uncertainty, allowing you to respond more quickly and more effectively when vulnerabilities have emerged. Instead of leaning solely on extensive industry softening, organizations with PST -documentation can implement focused security control, which minimizes the risk of even even the violation.
Who uses product safety testing?
Regardless of the name of the work, the presence of a strong basis in the safety of products leads to improvement of the safety and readiness for the whole organization. While the obvious approach is a product testing team that can use these methodologies to evaluate third-party software, as well as their own product safety products are not limited to one specific role. This is a valuable set of skills that enhance different positions in the organization. Safety auditors can use PST to adapt the evaluation to unique risks and needs in accordance with the organization, while the penetration testing can go beyond simple scanning vulnerability to analyze unknown protocols and own software. Application developers benefit, realizing how attackers use security deficiencies, helping them write a safer code from the beginning, while SOC analysts can use these skills to detect and mitigate the threats entered with new software and equipment. Even the decisions are made from PST, as this helps them make a reasonable choice about the risk, investment in the security and strategy of mitigating the consequences. It is important to remember that it is impossible to detect, mitigate, exploit or develop what we do not understand.
To gain practical experience in product safety testing, think about visiting the SEC568 in Orlando from April 13 to April 8, 2024. This training will provide the technical basis required to effectively evaluate the software and equipment. Just as to take the car on the test drive before the purchase, the application of a structured approach to the safety of products allows organizations to fully understand potential risks before deployment. By performing a recurring methodology, security groups can reduce risks and be better prepared for future threats.
Note: This article was written and made by Douglas Makki, Executive Director for threats to Sonicwall, as well as lead author and Sans Sec568 instructor.
