APPLICATION SECURITY
Knowledge Base
Search Our Knowledge Base
What Is Third-Party Software Security
Third-party also known as supply chain, vendor-supplied or outsourced software is any program or application that is not written exclusively by employees belonging to the company for which that software was created.
An increasing amount of applications are created out of house or are compiled using off the shelf or open source code. Companies use a multitude of non-internally developed applications such as those for email management, VPN connections, and information/lead management.
Our recent State of Software Security (SOSS) report found that 97 percent of the typical Java application is made up of open source libraries.
While you may go to great lengths to ensure the security of your own code, you cannot assume that your third-party software has been properly secured. Third-party software often leaves large vulnerabilities that can be exploited by hackers or malicious programs.
In fact, our SOSS findings revealed that about seven in every 10 applications have flaws in their open source libraries on initial scan. And, to take it one step further, almost one-third of applications have more security findings in third-party libraries than in the native codebase. Despite these findings, less than 50 percent of organizations scan their open source libraries.
It’s important to note that addressing open source vulnerabilities is not necessarily a major undertaking. Close to 74 percent of the flaws can be fixed with an update like a revision or patch. Even high priority flawscan often be fixed with a simple update. . Tools like Veracode Software Composition Analysis (SCA) scans open source dependencies for known vulnerabilities and make recommendations on version updating.
Veracode SCA can be integrated into your pipeline through a simple command-line scan agent and it delivers results in seconds. Or, you can use the same agent directly in your IDE to get feedback even earlier.
By using a tool like SCA, you can uncover not only flaws introduced directly by the application developer, but also transitive flaws introduced indirectly by other libraries several layers deep.