Black Kite unveils tool to analyse third-party software risk

Black Kite has launched a Product Analysis module that gives security and third-party risk teams a detailed view of risks within individual software products, extending assessment beyond the vendor level.

The cyber risk management company said the module allows organisations to scrutinise third-party software at a more granular level. The feature introduces product-focused views of exposure across downloadable software, software-as-a-service (SaaS) implementations and software bills of materials (SBOMs).

Black Kite positions the tool as an extension of traditional third-party risk management (TPRM) approaches. These approaches have often relied on aggregate assessments of vendors rather than the specific products and components that sit inside customer environments.

"Organisations depend on a wide range of software products that can introduce hidden risks into their environments," said Candan Bolukbas, CTO & Founder, Black Kite. "Vendor assessments provide critical visibility, but a strong overall vendor posture doesn't necessarily guarantee the security of every product they offer, and vice versa. Black Kite's new Product Analysis module closes that gap by giving teams precise, actionable insight into where vulnerabilities exist, from SaaS to software supply chain dependencies, so they can take targeted action before risk becomes exposure."

Shift to product view

The Product Analysis module focuses on risk at the level of individual products rather than only at the supplier level. Black Kite said this supports more detailed decisions during software evaluation and onboarding. It also said this structure supports more targeted vendor outreach when specific products raise concern.

The module aggregates different sources of technical and contextual information into a unified view. This includes data on known vulnerabilities, exploit activity, certifications and life-cycle status.

Black Kite said the approach aims to improve both the speed and accuracy of product evaluations by reducing manual data gathering. Security teams can compare products within a single vendor's portfolio or across competing providers.

Downloadable software analysis

One element of the Product Analysis module focuses on downloadable software and uses Common Platform Enumeration (CPE) identifiers. This feature maps software products to the vendors that produce them. It then assigns risk levels such as low, medium or high.

The classification uses data from Common Vulnerabilities and Exposures (CVEs). It also uses information on available exploits, existing certifications and whether products are approaching or past end-of-life.

This information gives TPRM teams a structured view of vulnerabilities in traditional software deployments. It covers products installed on-premises or in customer-managed environments.

SaaS subdomain mapping

A second element focuses on SaaS products through subdomain analysis. The module identifies SaaS subdomains and links them to the correct company. It then evaluates each subdomain for vulnerabilities and possible exploits.

This analysis reflects the shift of many business applications into cloud-hosted and subscription models. Risk teams often find it more difficult to track exposed interfaces and configuration issues in SaaS than they do for on-premises software.

The mapping of subdomains to companies gives organisations a clearer inventory of where SaaS services sit within their extended environment. It also gives a basis for monitoring changes in exposure over time.

SBOM and open source

The third component of the module analyses SBOMs. It focuses on open-source components and software dependencies that sit inside third-party products.

The tool examines listed components and their relationships and highlights hidden vulnerabilities and nested dependencies. This type of analysis has drawn more attention as organisations respond to attacks that target open-source libraries inside commercial products.

Regulated sectors and public bodies increasingly request SBOMs from software suppliers. They use them as part of wider compliance and risk programmes that also reference requirements under EO 14028 and similar measures in other jurisdictions.

Compliance and monitoring

Black Kite said TPRM teams and security leaders can use the Product Analysis module for both pre-procurement checks and continuous oversight. It pointed to use during software selection processes. It also highlighted scenarios in which teams must decide on upgrades, configuration changes or compensating controls.

The company said the module supports organisations that must conduct SBOM analysis as part of federal or industry regulations. It also said it offers a structure for broader assessments of software supply chain risk, which extend beyond immediate vendors to the products and components that those vendors rely on.

According to Black Kite, combining downloadable software analysis, SaaS subdomain mapping and SBOM-focused review gives customers a more complete product inventory. It also said this structure supports prioritisation of remediation efforts when multiple products or suppliers share the same underlying vulnerability.

Bolukbas said many organisations now seek more specific insight into software exposure across complex ecosystems of suppliers and sub-suppliers.

"Black Kite's new Product Analysis module closes that gap by giving teams precise, actionable insight into where vulnerabilities exist, from SaaS to software supply chain dependencies, so they can take targeted action before risk becomes exposure," said Bolukbas.