Third-party app patching covered
Demonstrate that third-party applications are systematically identified, tracked, and patched according to the organization's vulnerability management policy with the same rigor applied to operating systems and first-party enterprise software.
Description
What this control does
This control ensures that third-party applications installed on organizational systems are included in the vulnerability management and patch management lifecycle. It requires inventorying all third-party software (browsers, PDF readers, Java runtime, media players, collaboration tools, developer utilities, etc.), monitoring vendor security advisories, and applying security patches within defined timelines. Without explicit coverage, third-party applications frequently become neglected attack vectors despite representing a significant portion of the exploitable attack surface.
Control objective
What auditing this proves
Demonstrate that third-party applications are systematically identified, tracked, and patched according to the organization's vulnerability management policy with the same rigor applied to operating systems and first-party enterprise software.
Associated risks
Risks this control addresses
- Exploitation of publicly-disclosed vulnerabilities in unpatched third-party software such as browsers, Adobe Reader, or Java runtime environments
- Privilege escalation attacks leveraging outdated utilities or development tools with known local elevation vulnerabilities
- Drive-by download attacks targeting known browser or plugin vulnerabilities due to delayed or absent patch deployment
- Ransomware deployment through exploitation chains that begin with compromised third-party applications excluded from patch management scope
- Data exfiltration via exploitation of vulnerabilities in communication or collaboration tools not covered by patch policies
- Compliance violations arising from failure to remediate known vulnerabilities in regulated environments within mandated timeframes
- Shadow IT proliferation where users install and maintain third-party applications outside IT visibility, creating unmanaged risk
Testing procedure
How an auditor verifies this control
- Obtain the organization's patch management policy and procedure documents to identify scope statements, exclusions, and SLA requirements for third-party application patching
- Request a current software inventory report from the asset management system or endpoint management platform covering all managed endpoints
- Review the inventory to confirm third-party applications are identified separately with version information, vendor, and categorization
- Select a sample of 15-20 endpoints across different departments and operating systems, then perform independent scanning using vulnerability assessment tools to validate inventory completeness
- Obtain patch deployment records for the most recent 90-day period and filter for third-party application updates to assess deployment frequency and coverage
- Cross-reference identified critical/high-severity third-party CVEs published in the review period against patch deployment logs to verify timely remediation
- Interview IT operations and security teams to confirm processes for monitoring third-party vendor security bulletins and integrating updates into deployment workflows
- Test a sample of 5-8 endpoints to verify currently installed third-party application versions match approved baseline configurations and recent patches are applied
Where this control is tested