Managing third-party risk with Spectra Assure
To avoid claims of internal control failure and negligence, organizations must be able to demonstrate that they have comprehensively evaluated third-party software before they entrust it with sensitive data.
With automated risk assessment solutions, such as Spectra Assure, organizations can better manage the reputational, financial, and operational impact presented by third-party software, while conserving vital company resources to focus on critical issues.
The majority of commercial-off-the-shelf (COTS) software is made up of open-source components that are being increasingly targeted by malicious actors due to their lack of governance, controls, and regulatory oversight.
As these open-source components get packaged into COTS software, organizations lose visibility into the components of software that often support critical business processes. Reduced visibility into your software also means less control, leading to difficulties in managing the security risks that inevitably emerge.
In recent years, the size and complexity of COTS software packages have increased for different reasons, such as consumer demand for enhanced features or the emergence of large machine learning modules. This has in turn expanded the attack surface of enterprises, who rely on thousands of COTS software packages every day to run their business.
To address this growing concern, every organization needs a reliable method to promptly assess the risk of increasingly large third-party software packages.
Manage risk more effectivelyโ
TPRM teams have traditionally been responsible for software vendor oversight, typically managed through the performance of vendor security questionnaires. However, this approach is falling short in managing software supply chain risks and is leaving organizations more susceptible to attacks.
A key contributing factor to software vendor risks slipping through the cracks is a lack of coordination and communication between the key teams responsible for managing risk. TPRM teams traditionally believed that COTS software vendors fell outside of their scope since they do not have access to organization's sensitive data and resources. On the other hand, Application Security teams thought that any security risk would be managed through contractual terms with the third-party vendor the software was acquired from.
Recognizing that this gap even exists is the first step towards building a more robust risk management program. Spectra Assure can help bridge this gap since it unifies TPRM and Application Security functions, enabling organizations to better manage third-party software risk.
How can Spectra Assure help?โ
Spectra Assure allows you to analyze any third-party software binary you have purchased and intend to use. However, the platform does not require you to have access to the software source code, which makes it ideal for analyzing closed source and commercial software packages. For each analyzed package, it automatically generates the software bill of materials (SBOM), giving you more visibility and control over your software supply chain.
The engine behind the Spectra Assure platform uses static binary analysis that recursively unpacks software binaries and extracts metadata from software dependencies. This means that beyond an SBOM, it can also discover potential security risks and threats or unauthorized software changes without ever executing or detonating the software.
TPRM professionals can use the provided information to safeguard their organization by effectively managing any detected security violations.
Spectra Assure helps you manage risk with the following features:
Effective Controls: To demonstrate that an effective internal control is consistently enforced, you need proper evidence for audit purposes. This is why Spectra Assure allows you to either download the analyzed software package or export different parts of its analysis report in various formats.
Shareable Reports: When identified issues require third-party escalation, organizations can generate a temporary link to share the report directly with the vendor. Sharing options are configurable, including password protection and download of related analysis artifacts (such as the SBOM). This feature, exclusive to the Portal, promotes transparency between software producers and buyers, while also enabling granular control of the sensitive information uncovered during analysis.
Approval Workflows: Spectra Assure Approvals functionality is exclusive to the Portal. It provides TPRM teams a compliance mechanism to ensure that an appropriate member of the organization has reviewed the results of each scan and confirmed any identified issues are within the set risk tolerances. To guarantee the historical effectiveness of this control can be evaluated, an audit history of each approval action is retained within the Portal.
Differential Analysis: Spectra Assure lets you easily track software development across different versions and determine whether the security posture of software improved or declined over time. Thanks to its differential analysis capability, you can compare every new version that gets released to the previous ones. Spectra Assure automatically flags when issues identified in old versions have been remediated and where new risks have been introduced.
SAFE Levels: To maintain or improve the quality of your software in the subsequent releases, focus on attaining a specific SAFE Level in line with your security goals. Reports clearly illustrate the effort and actions needed to progress to the next SAFE level. Organizations can then use this as a roadmap towards increased security performance. The SAFE Levels system can also act as a benchmark, allowing you to compare the security posture of multiple software packages at once. This can be helpful to anyone who wants to buy multiple software products and needs to measure the security risk that each package would present.
Implement Spectra Assure in TPRMโ
To make the most of Spectra Assure risk management capabilities, below is a list of key steps for you to take. These steps pertain only to the Spectra Assure Portal.
1. Onboarding and configurationโ
Before you start scanning your software packages, you need to align Spectra Assure with your organization risk tolerance.
- Invite team members to the Spectra Assure Portal
- Divide team members into member groups based on organizational function or use case
- Set up projects to organize software uploads by category (e.g. vendor, software type, business impact, inherent risk level, etc.)
- Ensure sufficient analysis capacity is available and allocated across member groups based on the needs of new and existing software vendors
- Configure policies to align with internal security standards so that reports only display a โFailโ status when issues identified are beyond organizational risk appetite
- Leverage group-level-configuration to build custom policy profiles for software types which need to meet different security baselines
- Use SAFE Levels to help attain specific security goals, while also providing vendors a roadmap to improve third-party software quality over time
Once you've completed these steps, Spectra Assure Portal settings are successfully configured and tailored to your needs.
2. After scanโ
After a successful scan, you can begin reviewing the analysis results.
- Share your analysis reports with vendors, highlighting any failing issues which they need to help you address
- Approve, reject, or revoke the software version based on the analysis results and your willingness to accept risk or make a temporary exception for the identified failing issues
- Automate issue remediation validation by analyzing various versions of the same software using differential analysis rather than relying on a vendor to verify or provide evidence
- Export reports to make their offline copies and use them to maintain an audit trail of assessment activity
Why should you include Spectra Assure in your TPRM program?โ
Once you integrate Spectra Assure into your existing business processes, you can derive the following benefits from the platform:
Enhanced vendor onboarding experience: Spectra Assure does not require you to have access to the source code of any software you want to analyze. It allows you to customize the criteria for failing the software, simplifying the decision to use the third-party software or not. The platform also generates a report with visual cues allowing you to pinpoint the most critical issues. This accelerates risk assessment and remediation, enhancing the security and the overall quality of your software, as well as your speed of service.
Advanced vendor security assurance: By proactively scanning third-party software packages for exposures and threats throughout the software lifecycle, you can identify early signs of risk more rapidly. This allows you to build customer trust by managing these risks before they turn into operational issues or damage your reputation. Based on risk assessment data, you're also able to expand your visibility into the third-party components included in your software and create a network of partners and vendors you can trust.
Increased software supply chain visibility: Spectra Assure is capable of analyzing and accurately detecting risks and threats in large and complex software (up to 10 GB in size). For each analyzed package, it automatically generates a comprehensive Software Bill of Materials (SBOM). The SBOM provides you with an extensive list of both commercial and open-source components and dependencies used in any software. This in turn gives you more visibility and control over your software supply chain.