The reason for writing this article is, current approaches to vendor assessments are failing.  A perfect example of this is a recent news headline you may have read “Atrium Health’s Billing Vendor Hacked, 2.65M Patients Affected”.  A hosted app in Atrium’s networked environment was leveraged to access databases which contained the patient data.  Today we will discuss some of the risks associated with third party software as a solution apps, and answer some questions surrounding ensuring security of the apps. What are some implications of not testing? What are the legal considerations surrounding ensuring security of the app? What happens if you find a serious hole, and lastly if you do, do you continue to do business with the vendor?

Vendors are consistently being assessed against frameworks such as the standardized information gathering (SIG) or rating schemes like Bitsight. The next logical step is to actually verify a vendor has some basic technical security in place. One way of helping to ensure this is with a penetration test, or pen-test.  The penetration test is a simulated attack.  It differs from a vulnerability scan in that actual exploitability of systems and software is tested.  Issues also arise which would not be found with an automated scanner. A pen-test is a much more thorough, realistic test which gives a company greater insight into their current security.  The possible outcome of not testing one of these apps could most certainly be your company’s worst nightmare.  Data breaches are expensive to clean up, a public nightmare, and harmful to employee morale.

How do you legally pen-test third party apps?  The only way to legally test a third-party app is with expressed permission from the vendor themselves. Aside from legalities without the vendor’s permission any bug which may be found cannot be fixed!  These are software as a solution;[U1]  as a purchaser of the product, or as an auditor access to the code simply is not there.  How can you make changes to a broken application if you cannot access it?  On the contrary, with the vendor on board the application can be audited to scope tolerances.  A good vendor response should be quick, accurate, and remediate immediate risk.  Ultimately mistakes happen.  At the end of the day you should reduce your organization’s risk by testing these apps with the appropriate permissions to ensure a secure solution is in your environment.

What happens if you find a serious hole, and if you do you do business with the vendor?  With the amount of code that goes into modern applications, faults happen.  With the proper communication channels in place, reach out to the vendor with the information you have regarding the vulnerability.  Now is the time for the vendor to really stand up and take action.  The vendor should be very responsive to you, your claims, and the remediations which need to take place.  Perhaps the issue is more than a quick fix, in this scenario the app should be decommissioned until code can be pushed to fix it.  Be sure to stay on top of communication between yourself and the vendor, expecting rapid change. The vendor response is what really tells you if you should do future business with the vendor or not.  Mistakes happen to everyone.  It’s how you bounce back from those mistakes which define you, and your company.  If the vendor’s response is outstanding, they take complete ownership of the issue, and are taking the proper steps towards preventing exploits in the future, then you should most surely stick with them as a vendor.

In conclusion, yes you can pen-test your vendor.  The vendors themselves want to ensure your company is happy with their decision to use the vendor’s product.  The vendor also wants you to continue to use their services.  Approach the situation with an open line of communication between yourself and the vendor, test, relay results, and continue to communicate.  When the vendor has indicated a solution to the bug is in place, quickly verify a fix has been made, and relay your confirmation to the vendor.  By taking these steps, you have done your best to ensure a secure, solution for your company.

https://atriumhealth.org/about-us/newsroom/security/special-announcement