What You Should Consider Before Launching a Security Test for Your Third Parties and Vendor

A paradox of cybersecurity’s function in business is that businesses provide value by creatively sharing and using information, but cybersecurity benefits from less sharing and access to data. 

This holds doubly true in the area of third-party security for large organizations that must adhere to stricter regulations, such as banks and government agencies. It is nearly impossible to conduct business without frequently and openly sharing valuable information with, or via, third parties. 

Drug developers rely on clinical research partners for essential data. Banks exchange information with credit agencies, other banks, regulators and more. All of this drives software development and infrastructure changes constantly, and some percentage of those changes introduce security vulnerabilities that are detected late in the process, which poses risk for the organizations. 

Many feel that they get more security “bang-for-the-buck” through third-party testing—testing the software of others. A 2022 study by the Ponemon Institute found that while 75% of respondents are concerned about the risk of ransomware linked to third parties, only 36% of organizations evaluate their own security and privacy practices. An earlier 2019 Ponemon study found that if it were a third party that caused a data breach, the cost increased by more than $370,000 (raising it to $4.3 million). Shoring up third-party defenses clearly has benefits for multiple parties (and your customers).

How Synack Customers Test Third Parties

Synack has seen customers try different approaches for testing third parties. Tests are either 1) encouraged, 2) required or 3) coordinated. 

In the first model, third parties are strongly encouraged to get a security test from Synack and share the results with their partner, usually the larger of the two companies. It’s not forced; ultimately, it’s up to the third party to decide if their relationship benefits from a security test. 

In the second model, security testing is a requirement for a relationship to be contractually completed. Finally, the Coordinated Testing model is the one Synack sees growing the fastest. In this model, the larger company with several third parties to test purchases tests on behalf of other companies and mandates testing. Usually, they specify the testing intensity as well, by choosing a basic Synack test or a more comprehensive offering. This secures testing resources and makes it easier to share data via a testing platform built for it. 

Issues to Consider when Testing Third Parties

Whichever model you prefer, there are several things to consider. First, what is the chargeback model, if any, for security tests? Does the third party pay, the first party or someone else? Does the payment happen up front or in a later, internal accounting?  The latter helps execute testing faster, which is ultimately what many companies want to reduce risk earlier.

Next, what legal agreements need to be in place? All Synack customers have clear contracts with Synack that cover testing. In some cases, an identical contract is needed with a third party, but more frequently, it’s a simpler agreement. Consult with your legal team to find the simplest but most effective way to expand testing on your assets, regardless of where they reside. 

Finally, there is information sharing. Do vulnerabilities found on a third party get reported to the primary party? In most cases, the primary party simply wants to know that vulnerabilities are not present, which can be done with patch verification reports. Synack’s robust role-based access control system and reporting allow for any choice along this spectrum to be securely shared according to the wishes of the companies. Information can be shared via a final report, access to the Synack Portal (with real-time information about testing efforts and results) or both.

Whatever you choose, third-party security testing to clean up potential vulnerabilities advances the ultimate goal for many companies: safer users and data. 

The post 3 Approaches to Security Testing for Third Parties appeared first on Synack.

Have you been thinking about joining the Synack Red Team, our team of ethical hackers who protect organizations and companies around the world? But you have been putting it off until you had “more time”?

Well the time is NOW! For the rest of the month of July, apply for a spot on the Synack Red Team and take advantage of this extra incentive.

Every summer in Las Vegas, we take some of our best SRT members out for some bonding, knowledge exchange and maybe a little adrenaline.

This year, we’re inviting SRT members in Las Vegas to do a little Go-Kart racing with us, with the top performers racing some exotic cars with us. While Ferraris and Lamborghinis will be there, who can object to the aptly named Dodge Charger SRT?

All you have to do is apply here. If you are accepted and are already in Las Vegas for DEF CON, you’ll get an invite for the SRT racing events above.

Also, the top five applicants who are accepted and use the code “SRT_VEGAS_2021” during their application will be added to a random drawing to win a 1-year Hack the Box VIP pass (valued at $150).

On top of the August benefits, membership in the Synack Red Team gives you access to the best targets run by the most professional defenders. Synack triages with 100% of payments at the time of vulnerability report verification – never on patch. That means you get one professional triage team, not inconsistent standards that change from target to target.

Learn more or apply now! We want to see you in Las Vegas!

The post Join the Synack Red Team This Summer in Las Vegas appeared first on Synack.