We Use That?!

Getting Your Arms Around Digital Supply Chain Security Risk

We’ve previously written about the importance of proving a strong security posture to your customers by confidently participating in their vendor security audits. But what about the security of your vendors? You could be vulnerable to risks related to the third-party systems your organization uses as well as risks from third-party software libraries used in your product development -- and in both cases, you might not even be aware of your exposure to them.

While we agree that software is eating the world and organizations are reaping the benefits, they are also paying a price with increased complexity and risk. There will always be some inherent risk in doing business with other organizations, but with proper security controls, risk can be managed to an acceptable level of residual risk. However, that’s hard to do when you don’t have a clear picture of what’s running in your environment or how you are connected to third parties that pose risk.

That fuzzy picture is partially due to the fact that, unlike their predecessors in the on-prem application world, today’s cloud technologies and digital transformation tools are easier to implement and consume across the enterprise and often easier still to integrate with other SaaS platforms. Growing organizations also experience Shadow IT, as more employees rely on SaaS apps for their needs without involving IT or security teams to vet new vendors.

If your organization provides SaaS services or incorporates software into products today, your developers likely use third-party code to rapidly build, package, deliver, and manage applications. That is generally great for rapid product development, high-quality deliverables, and successful customer usage. But it’s not great if you don’t have a complete understanding of those software libraries and a way to measure, track, and manage the risk of their integration with your platform.

Unfortunately, both of these scenarios inevitably lead to “we use that?” moments. Most of these moments are benign, of the “huh, I didn't know” variety, but some are disastrous, as in “holy $&*%, how did that happen?”

For example, many small and medium-sized enterprises learned the hard way about their exposure to RMM (remote management and monitoring) software called Kaseya VSA when the ransomware gang formerly known as REvil discovered and exploited a zero-day vulnerability in VSA and hijacked the tool to encrypt and ransom managed IT assets.

The attack illustrates supply chain complexity and risk because the organizations that were encrypted were not Kaseya’s customers. VSA is used by managed service providers (MSPs) globally to manage their customers’ IT assets remotely. REvil and its affiliates discovered vulnerabilities in the VSA server component, which is deployed and run either in Kaseya’s cloud on behalf of an MSP or by an individual MSP. REvil used the server components to gain control of VSA clients deployed on thousands of machines across 800 to 1500 MSP end customers and finally to deploy their ransomware payload and encrypt these assets.

And Kaseya is not the only example -- there’s Codecov, Accellion, and others. The thing is, it’s simply not possible to address all the resulting third-party risks of doing business with other companies. But you absolutely have to address the things that matter most and pose the greatest risks. In the case of a managed service provider that has full administrative rights to your systems, you need to know enough about that MSP and their security posture to ensure they align with your organization’s security controls, tolerance for risk, and compliance regulations.


In the case of third-party software libraries that your team builds into your SaaS offering, IoT or consumer electronics product, you need to have visibility and internal processes to analyze and manage related risks. The bottom line is that every company uses third-party software and while you don’t have to conduct a code review on everything, you do have to know the risks, in order to prioritize and manage them.

If you are not sure how to accomplish either scenario, turn to an experienced partner like IOmergent, which can help you get visibility into what’s running in your infrastructure in order to manage, reduce, and remediate risk. We do that two ways:

  1. Technical Risk Reduction. We audit your risk surface by discovering and mapping technical risks to business risks in order to illustrate your real exposure to risk. We’ll help you identify, map, and then prioritize vulnerabilities and risks from vendors, your digital supply chain, IT systems, Cloud services, and SaaS apps and platforms.


  1. Secure Software Development & DevSecOps. Regardless of whether your apps or cloud services are built in-house or through outsourced partners, we can ensure your development processes, tools, and systems integrate both security and privacy through a customized framework across the software development lifecycle.

Would you like to learn how I/Omergent can help your organization mature its security program? Contact us today to schedule a confidential consultation at no cost.