In this article:
You may wonder why your Digital Footprint includes assets managed by third parties, such as marketing websites or cloud-based or SaaS providers, and what you should do about these assets.
The security risk for your organization does not stop at your owned assets. The entire attack surface extends to the third-party services that your organization uses. A risk to those assets is a risk to your organization.
This is why SecurityScorecard attributes relevant third-party assets to your Scorecard.
A past example on our own Scorecard
SecurityScorecard's own Digital Footprint previously included the domain track.securityscorecard.io for two reasons:
- securityscorecard.io is a related domain present in SecurityScorecard.com Digital Footprint.
- track.securityscorecard.io is a subdomain of securityscorecard.io.
track.securityscorecard.io had a CNAME record pointing to the domain mandrillapp.com, which belongs to Mandrill, a vendor of SecurityScorecard. As a collateral effect, the underlying IPs of the CNAME records were also on SecurityScorecard's Digital Footprint.
The endpoints related to this third party offer TLS v1.0 and TLS v1.1 which we had flagged as a finding for SSL/TLS Service Supports Weak Protocol when this domain existed on the Digital Footprint of the Scorecard. The CNAME connection indicated that this finding was appropriate for our own Scorecard.
Addressing this finding
- Indicate that your organization accepts this implementation, which means the finding remains on your Scorecard.
- Indicate that you have changed to a vendor that has the appropriate security controls in place.