Imagine you’re considering a new car for your family. Before making a purchase, you evaluate its safety ratings, fuel efficiency, and reliability. You might even take it for a test drive to ensure it meets your needs. The same approach should be applied to software and hardware products before integrating them into an organization’s environment. Just as you wouldn’t buy a car without knowing its safety features, you shouldn’t deploy software without understanding the risks it introduces.
The Rising Threat of Supply Chain Attacks
Cybercriminals have recognized that instead of attacking an organization head-on, they can infiltrate through the software supply chain—like slipping counterfeit parts into an assembly line. According to the 2024 Sonatype State of the Software Supply Chain report, attackers are infiltrating open-source ecosystems at an alarming rate, with over 512,847 malicious packages detected last year alone—a 156% increase from the previous year. Traditional security tools and processes often miss these threats, leaving organizations unprepared.
One major example in 2024 was a year-long supply chain attack uncovered in the Python Package Index (PyPI). Attackers uploaded malicious packages disguised as legitimate AI chatbot tools, hoping to trick developers into integrating them into their projects. These packages contained harmful code designed to steal sensitive data and execute remote commands on infected systems. Because PyPI is widely used across various industries, this attack had the potential to compromise thousands of applications before security researchers at Kaspersky detected and reported the malicious activity. This incident highlights how attackers are increasingly exploiting trusted repositories to distribute malware, reinforcing the need for additional in-depth measures when evaluating software.
A Hands-On Approach to Risk Assessment: Product Security Testing
Organizations need a structured and repeatable way to evaluate software and hardware risks before introducing them into their environments. This process, known as Product Security Testing (PST), is about answering key questions:
- What risks does this product introduce to my network?
- Should we use this product, or is there a safer alternative?
- If we use it, what mitigations should be put in place to minimize risk?
PST isn’t just about scanning for vulnerabilities—it’s about understanding how a product behaves in your specific environment and determining its overall risk impact. Given the vast number of third-party components used in modern IT, it’s unrealistic to scrutinize every software package equally. Instead, security teams should prioritize their efforts based on business impact and attack surface exposure. High-privilege applications that frequently communicate with external services should undergo product security testing, while lower-risk applications can be assessed through automated or less resource-intensive methods. Whether done before deployment or as a retrospective analysis, a structured approach to PST ensures that organizations focus on securing the most critical assets first while maintaining overall system integrity.
Learning to Think Red, Act Blue
The SANS SEC568 course is designed to build practical skills in PST. It focuses on black-box testing, a method that simulates real-world conditions where the source code isn’t available. This makes it highly applicable for evaluating third-party products that organizations don’t have direct control over. The course follows the principle of Think Red, Act Blue—by learning offensive tactics, organizations can better defend against them.
While Product Security Testing will never prevent a breach of a third party out of your control, it is necessary to allow organizations to make informed decisions about their defensive posture and response strategy. Many organizations follow a standard process of identifying a need, selecting a product, and deploying it without a deep security evaluation. This lack of scrutiny can leave them scrambling to determine the impact when a supply chain attack occurs.
By incorporating PST into the decision-making process, security teams gain critical documentation, including dependency mapping, threat models, and specific mitigations tailored to the technology in use. This proactive approach reduces uncertainty, allowing for faster and more effective responses when vulnerabilities emerge. Rather than relying solely on broad industry mitigations, organizations with PST documentation can implement targeted security controls that minimize risk before a breach even happens.
Who leverages Product Security Testing?
Regardless of job title, having a strong foundation in product security testing leads to better security posture and preparedness within the entire organization. While the obvious fit is product security testing teams can leverage these methodologies to evaluate third-party software as well as their own in-house products – product security testing isn’t limited to one specific role. This is a valuable skill set that enhances various positions within an organization. Security auditors can use PST to tailor evaluations to an organization’s unique risks and compliance needs, while penetration testers can go beyond simple vulnerability scans to analyze unknown protocols and proprietary software. Application developers benefit by understanding how attackers exploit security flaws, helping them write more secure code from the start, while SOC analysts can use these skills to detect and mitigate threats introduced by new software and hardware. Even decision-makers gain insights from PST, as it helps them make informed choices about risk, security investments, and mitigation strategies. It’s important to remember that it’s impossible to detect, mitigate, exploit, or develop what we don’t understand.
To gain hands-on experience in product security testing, consider attending SEC568 in Orlando from April 13-18, 2024. This training will provide the technical foundation needed to assess software and hardware security effectively. Just like taking a car for a test drive before purchasing, applying a structured approach to product security testing allows organizations to fully understand potential risks before deployment. By following a repeatable methodology, security teams can reduce risks and be better prepared for future threats.
Note: This article was expertly written and contributed by Douglas McKee, the Executive Director of Threat Research at SonicWall, as well as the lead author and instructor for SANS SEC568.