• About
  • Subscribe
  • Contact
Wednesday, May 7, 2025
    Login
  • Management Leadership
    • Growth Strategies
    • Finance
    • Operations
    • Sales and Marketing
    • Careers
  • Technology
    • Infrastructure and Platforms
    • Business Applications and Databases
    • Big Data, Analytics and Intelligence
    • Security
  • Industry Verticals
    • Finance and Insurance
    • Manufacturing
    • Logistics and Transportation
    • Retail and Wholesale
    • Hospitality and Tourism
    • Government and Public Services
    • Utilities
    • Media and Telecommunications
  • Resources
    • Whitepapers
    • PodChats
    • Videos
  • Events
No Result
View All Result
  • Management Leadership
    • Growth Strategies
    • Finance
    • Operations
    • Sales and Marketing
    • Careers
  • Technology
    • Infrastructure and Platforms
    • Business Applications and Databases
    • Big Data, Analytics and Intelligence
    • Security
  • Industry Verticals
    • Finance and Insurance
    • Manufacturing
    • Logistics and Transportation
    • Retail and Wholesale
    • Hospitality and Tourism
    • Government and Public Services
    • Utilities
    • Media and Telecommunications
  • Resources
    • Whitepapers
    • PodChats
    • Videos
  • Events
No Result
View All Result
No Result
View All Result
Home Technology Business Applications & Databases

PodChats for FutureCIO: Securing third-party apps

Allan Tan by Allan Tan
October 24, 2022
PodChats for FutureCIO: Securing third-party apps

PodChats for FutureCIO: Securing third-party apps

One of the defining characteristics of the digital economy is our increased dependence on third-party organisations. Whether we are manufacturers, retailers, hotels, financial institutions or government, we rely on a network of suppliers and business partners to create and deliver goods and services.

While this interdependence allows us to achieve economies of scale, it also introduces risks to our business.

Consider the case of the Japanese automaker, Toyota. In February 2022, Toyota shut down operations in Japan after a major plastic supplier, Kojima Industries, suffered a data breach. Kojima had remote access to Toyota manufacturing plants, greatly increasing Toyota’s risk. As a result of the temporary shutdown, Toyota suffered financial and operational losses.

These third-party risks extend to our technology suppliers. Consider the case of SolarWinds and Kaseya – both are trusted names in their industries. When both suffered a breach, the attack cascaded down to their customers.

So how do you protect your business when the potential threat is from outside your control?

Siddharth Deshpande, field CTO for the Asia-Pacific region at Palo Alto Networks, acknowledges that most business applications today are not developed (coded) from scratch.

He explained that these are generally assembled with different elements of third-party code that are integrated into the applications. Those application components or libraries represent dependencies.

He cautioned that there are risks because some of these come from an external environment.

“You can't always regulate exactly what code components end up in your software pipeline. But if you take security into the entire CICD lifecycle, organisations engage in digital business and yet maintain the risk posture."

Siddharth Deshpande

How can infrastructure as code play a role in supply chain protection?

Siddharth Deshpande: A small misconfiguration in one of these infrastructure-as-code templates can expose the organisation to excessive risks in production. It becomes hard to manually track down those misconfigurations once the application is already in production.

The solution is to look at shipping security labs so that you're able to bake security into the infrastructure as a coding process. You’re able to offer developers very specific recommendations to remediate those misconfigurations as they are committing the infrastructure as code templates.

How can code security prevent vulnerabilities and compliance violations that arise because of the increased use of container images?

Siddharth Deshpande: It's a combination of container security and scanning in the pre-deployment phase in the code and build phase as well as in the runtime phase. Container security from a vulnerability perspective has to be continuous.

You need to be able to do container vulnerability scanning at runtime and link that runtime scan with whatever you discovered in the pre-deployment phase, integrating the development and the runtime phase of container scanning.

If you look at the idea of provisioning controls built into code, what is the significance of policy as a code or policy as code?

Siddharth Deshpande: Policy as code becomes important because you don't want developers to go outside of their workflow or their infrastructure as code tools to implement policies.

Any cloud security approach needs to provide instrumentation and integration with the developers’ coding tools to allow them to put in place policies that can cascade [from] production to environment effectively.

[It] is just automating from a security perspective, enforcement of security policy at the code level, [instead of] having to do that manually.

How can the industry then build confidence in open-source security when you hear all of these breaches that have been happening for the last few years?

Siddharth Deshpande: I think it's a holistic approach that the industry needs to take. Apart from raising awareness, it’s the technology angle. You cannot expect open-source code maintainer[s] to have absolute visibility into everything from a security perspective.

The CICD lifecycle [should be integrated] effectively with the tools that developers are using. That can give organisations assurance that security is not a process that's coming in after the application is in production, but while the applications are being developed.

What is your advice to both the CIO, the CSO, and CTOs as regards securing third-party applications?

Siddharth Deshpande: There must be an organisational cultural awareness that needs to be driven from the top down about what types of different mechanisms exist for third parties to interact with our infrastructure and what kinds of risks those poses.

It's the culture and technology, but the technology platform, if it's the correct cloud security platform or CNAAP, [that] can facilitate the cultural change that organisations need to undergo when it comes to protecting against third-party risks.

Click on the PodChat player as Deshpande elaborates on the risks that come with third-party applications and how to secure the enterprise against third-party risks.
  1. What are the hidden risks and threats posed by Third-Party Code? 
  2. How can Infrastructure-as-code play a key role in supply chain protection? 
  3. How can code security prevent vulnerabilities and compliance violations in container images?
  4. What is the significance of policy-as-code in the provision of controls built into code?
  5. Most of the modern application code is made up of open-source dependencies. How can the industry build confidence in open-source security?
  6. As organisations pursue cloud-native applications and work more collaboratively with third-party partners, what is your advice for CIO/CISO and CTO in securing third-party applications?
Related:  PodChats for FutureCIO: The operational risks of cyber threats to Asia’s financial sector
Tags: Palo Alto NetworksPodchatssupply chain disruptionthird-party risk management
Allan Tan

Allan Tan

Allan is Group Editor-in-Chief for CXOCIETY writing for FutureIoT, FutureCIO and FutureCFO. He supports content marketing engagements for CXOCIETY clients, as well as moderates senior-level discussions and speaks at events. Previous Roles He served as Group Editor-in-Chief for Questex Asia concurrent to the Regional Content and Strategy Director role. He was the Director of Technology Practice at Hill+Knowlton in Hong Kong and Director of Client Services at EBA Communications. He also served as Marketing Director for Asia at Hitachi Data Systems and served as Country Sales Manager for HDS’ Philippines. Other sales roles include Encore Computer and First International Computer. He was a Senior Industry Analyst at Dataquest (Gartner Group) covering IT Professional Services for Asia-Pacific. He moved to Hong Kong as a Network Specialist and later MIS Manager at Imagineering/Tech Pacific. He holds a Bachelor of Science in Electronics and Communications Engineering degree and is a certified PICK programmer.

No Result
View All Result

Recent Posts

  • Agentic AI-powered AppSec platform launched for the AI era
  • IDC forecasts GenAI alone will grow at a 59.2% CAGR
  • Dataiku brings new AI capabilities to create and control AI agents
  • Microsoft reveals the rise of a new kind of organisation in the AI era
  • St Luke’s ElderCare enhances data security and user experience with Juniper

Live Poll

Categories

  • Big Data, Analytics & Intelligence
  • Business Applications & Databases
  • Business-IT Alignment
  • Careers
  • Case Studies
  • CISO
  • CISO strategies
  • Cloud, Virtualization, Operating Environments and Middleware
  • Computer, Storage, Networks, Connectivity
  • Corporate Social Responsibility
  • Customer Experience / Engagement
  • Cyber risk management
  • Cyberattacks and data breaches
  • Cybersecurity careers
  • Cybersecurity operations
  • Education
  • Education
  • Finance
  • Finance & Insurance
  • FutureCISO
  • General
  • Governance, Risk and Compliance
  • Government and Public Services
  • Growth Strategies
  • Hospitality & Tourism
  • HR, education and Training
  • Industry Verticals
  • Infrastructure & Platforms
  • Insider threats
  • Latest Stories
  • Logistics & Transportation
  • Management Leadership
  • Manufacturing
  • Media and Telecommunications
  • News Stories
  • Operations
  • Opinion
  • Opinions
  • People
  • Process
  • Remote work
  • Retail & Wholesale
  • Sales & Marketing
  • Security
  • Tactics and Strategies
  • Technology
  • Utilities
  • Videos
  • Vulnerabilities and threats
  • White Papers

Strategic Insights for Chief Information Officers

FutureCIO is about enabling the CIO, his team, the leadership and the enterprise through shared expertise, know-how and experience - through a community of shared interests and goals. It is also about discovering unknown best practices that will help realize new business models.

Quick Links

  • Videos
  • Resources
  • Subscribe
  • Contact

Cxociety Media Brands

  • FutureIoT
  • FutureCFO
  • FutureCIO

Categories

  • Privacy Policy
  • Terms of Use
  • Cookie Policy

Copyright © 2022 Cxociety Pte Ltd | Designed by Pixl

Login to your account below

or

Not a member yet? Register here

Forgotten Password?

Fill the forms bellow to register

All fields are required. Log In

Retrieve your password

Please enter your username or email address to reset your password.

Log In
No Result
View All Result
  • Management Leadership
    • Growth Strategies
    • Finance
    • Operations
    • Sales and Marketing
    • Careers
  • Technology
    • Infrastructure and Platforms
    • Business Applications and Databases
    • Big Data, Analytics and Intelligence
    • Security
  • Industry Verticals
    • Finance and Insurance
    • Manufacturing
    • Logistics and Transportation
    • Retail and Wholesale
    • Hospitality and Tourism
    • Government and Public Services
    • Utilities
    • Media and Telecommunications
  • Resources
    • Whitepapers
    • PodChats
    • Videos
  • Events
Login

Copyright © 2022 Cxociety Pte Ltd | Designed by Pixl

Subscribe