Acquired Software
Overview
Most software used by organizations is acquired from vendors, whether it's installed on-premises or delivered as Software-as-a-Service (SaaS). Security professionals must evaluate the security of this software to ensure it aligns with organizational requirements.
- Software often purchased from external vendors
- Includes both on-premises and cloud-based SaaS
Risk Assessment for Acquired Software
Conducting a risk assessment helps security teams understand the potential impact of software on operations.
- Assess confidentiality, integrity, and availability risks
- Consider likelihood and impact of security incidents
- Prioritize risk areas for further attention
Regular Vulnerability Scanning
Organizations should regularly scan purchased software to catch security issues, whether remediable internally or requiring vendor assistance.
- Use network and web application scanners
- Detect missing patches and software flaws
- Address vendor-required fixes like SQL injection vulnerabilities
Keeping Software Updated
Staying current with security patches and updates is critical to protecting systems from attackers who exploit known vulnerabilities.
- Apply vendor security updates (patches, hotfixes)
- Prioritize updates to mitigate risk
- Prevent attackers from exploiting unpatched software
Configurable Security Options
Even with purchased software, organizations often retain control over important security configurations.
- Manage user accounts and administrative privileges
- Set IP restrictions and other controls
- Ensure SaaS security responsibilities are addressed