In early 2021, attackers infiltrated SolarWinds software used by thousands of major businesses and organizations worldwide. This allowed malicious parties to access data owned by not just SolarWinds but everyone who used the SolarWinds solution. Such attacks are called supply chain attacks and yes, they are just as possible in the web application security space.

Does your business use any third-party web applications? If so, how can you be certain that you are not going to become a victim of a supply chain attack?

It’s your interest because it’s your loss

Let’s say that you represent a major corporation that conducts part of its business activities with the help of third-party specialized web-based software. For example, let’s say that you own a huge chain of warehouses and you use third-party software to plan all your logistics – which products need to be delivered to your warehouses and when so that your clients can buy them off-the-shelf but your warehouses are not overfilled.

If the third-party web application you use for logistics is unsafe and hacked, it’s not the third-party supplier of the application that has the most to lose. It’s you. It’s your data that is in the application. It’s your operations that will be disturbed. And it’s you who are powerless to fix the issue immediately. And since you are probably not the only business relying on this software, many other businesses are in your shoes as well.

That’s the biggest problem with supply chain attacks. The software makers often have little to lose compared to the customers who purchase the software.

Can you handle it yourself?

Of course, you can hire your own security team and that team can manage the security of third-party applications. However, you may simply be running warehouses with specialist mechanical parts and have a very limited IT department. Should you be expected to hire security personnel to inspect the tools and services that you’re paying for? And if not, how can you make sure that they are properly secured?

Even if you decide that your web application security is so important that you need to monitor it on your own, you’re in a disadvantageous position. This is because you receive the production version of third-party software and do not participate in development. If you run regular Acunetix scans on your third-party software and you find a vulnerability, that third-party software would then have to go back all the way to the drawing board to be fixed. It’s just too late to look for issues in production.

On the other hand, your contractor is in a much better position. They can, for example, include Acunetix early in their software development lifecycle and eliminate issues the moment they first appear (right after the developer introduces a vulnerability). This way, there are nearly no delays at all associated with web application security.

Expect web application security from your contractors

The only way that you can make sure that you are not affected by supply chain attacks is to expect the highest standards of security from your contractors. This includes every piece of software that you use, especially all the applications accessible using a browser i.e. web applications.

The simplest thing that you may expect is for your contractors to present you with a web vulnerability scanner compliance report, such as the OWASP Top-10 report offered by Acunetix. This type of report will immediately show you if the software that you are purchasing has any vulnerabilities and if these are the types of vulnerabilities that you should worry about.

However, that might not be enough. Your contractor may run scans that produce such reports only once in a long while. Even if they run reports more often, it’s impractical for you to review them every time to make sure that your data is safe.

You must expect your contractor to follow web application security best practices and have a full web application security strategy that includes, at the very least, scanning every release candidate of the application. However, if you want to feel truly secure, you must expect your contractor to include web application security in their software development lifecycle, at the very earliest stage.

Talk to your contractors to make sure they already have a dynamic application security testing (DAST) solution such as Acunetix working as part of their SDLC.

Tomasz Andrzej Nidecki
Principal Cybersecurity Writer
Tomasz Andrzej Nidecki (also known as tonid) is a Primary Cybersecurity Writer at Invicti, focusing on Acunetix. A journalist, translator, and technical writer with 25 years of IT experience, Tomasz has been the Managing Editor of the hakin9 IT Security magazine in its early years and used to run a major technical blog dedicated to email security.