Third‐party software is located everywhere in an enterprise. From the common desktop productivity software, backend server operating systems, mobile apps, and hundreds of others, they are often acquired, installed, and updated with little to no testing performed at any stage of the process or lifecycle. While testing Microsoft Word is possible, the approach should be risk‐based. If all a customer's private data is stored in a Microsoft Word document, then yes, testing that document then would become important because that is where the risk resides. However, most of the riskiest software goes unnoticed. Recent examples are the SolarWinds attack in December 2020, OpenSSL/Heartbleed in 2014, and the large complex supply‐chain hack on Vietnam's government portal that runs the country's e‐signature program in late 2020. All of these were ubiquitous software in their space.

The SolarWinds software was one of the most widely used network monitoring tools on the planet. Nearly every Fortune 500 company used it, and in many cases, had APIs connecting it to other tools, making it an interdependency risk. OpenSSL was the software with an open security flaw that became known as Heartbleed. OpenSSL was the key open source software many developers used when requiring a secure connection with another. More critically, there was no tracking of where the code was or its owner, so if an issue required a code update, it took a long time to find all the locations ...