Breaches stemming from third-party software increased by 68% in the last year.1 Threat actors are capitalizing on software supply chain attacks because they consistently bypass even the most sophisticated security controls. They do this by weaponizing the commercial software their targets trust to run their business.
Despite these trends, evaluating third-party or commercial software risks before purchase or deployment is a critical control that most organizations lack. Furthermore, the tools that might be in place like questionnaires, SBOMs, and vendor risk assessments are failing to fully address this growing threat. .
This session will cover:
· Why commercial software remains an under addressed third-party risk
· The limitations of existing methods like surveys, pentests, sandboxing, and others
· A strategy for more comprehensive software risk assessment
· Considerations for creating controls & processes to verify software safety