Press & Expert Commentary

Beware of Using Some Portions:
Hidden Cybersecurity Risks in Software and Services

Cybersecurity expert Craig Petronella, founder of Petronella Technology Group in Raleigh, NC, warns Triangle businesses about the dangers of using unvetted software components, free online tools, and budget services that introduce critical security vulnerabilities into your technology infrastructure.

By Craig Petronella, CEO & Founder Petronella Technology Group Raleigh, NC
The Hidden Threat

The Dangerous Practice That Puts Your Business at Risk

In the rush to adopt new technology, cut costs, and accelerate digital transformation, businesses across Raleigh, Durham, and the Research Triangle Park are unknowingly introducing serious cybersecurity vulnerabilities into their operations by using software, tools, and services that have not been properly vetted for security. The practice is alarmingly common: a developer integrates a free open-source library without reviewing its code or supply chain. A marketing team installs a browser plugin to streamline social media posting without checking its permissions. A finance department subscribes to a budget SaaS platform for invoice management without reviewing the vendor's security practices or data handling policies.

These decisions, made with good intentions and genuine business needs, create invisible entry points that cybercriminals actively target. Supply chain attacks have surged dramatically in recent years, with threat actors compromising widely used software components to gain access to thousands of downstream organizations simultaneously. When your business uses unvetted software portions, you are inheriting every vulnerability in that code without knowing it exists. When you subscribe to a service that lacks proper security certifications, you are handing your sensitive data to a platform that may have no meaningful defenses against sophisticated attacks.

The consequences are not theoretical. Businesses throughout North Carolina have suffered devastating data breaches, ransomware infections, and compliance violations that traced back to a single unvetted software component or service provider. The cost of remediation, regulatory penalties, legal liability, reputational damage, and lost business often far exceeds what the company saved by choosing the cheaper or more convenient option in the first place. This is a preventable problem, but only if businesses understand the risks and take proactive steps to protect themselves.

Expert Analysis

Craig Petronella's Warning to Triangle NC Businesses

"The biggest cybersecurity mistake I see businesses in the Raleigh-Durham area making today is the assumption that if a piece of software is widely available or free to use, it must be safe," says Craig Petronella, founder and CEO of Petronella Technology Group, a cybersecurity and IT management firm that has served more than 2,500 companies over 22 years with zero security breaches among clients following our security program. "That assumption is fundamentally wrong, and it is costing businesses millions of dollars in preventable breaches every year."

"Just because software is popular does not mean it is secure. Just because a service is free does not mean it is safe. Every piece of technology you introduce into your environment carries risk, and if you are not evaluating that risk before deployment, you are gambling with your data, your compliance, and your reputation." — Craig Petronella

Petronella explains that the threat landscape has evolved significantly over the past several years, with attackers increasingly targeting the software supply chain rather than attacking individual organizations directly. By compromising a single widely used software component, library, or service, attackers can gain access to hundreds or even thousands of organizations that depend on that component. This approach is far more efficient for attackers than targeting individual companies one at a time, and it exploits the trust relationships that businesses place in their technology vendors and software dependencies.

"We have seen cases right here in the Triangle where a business installed a free project management tool that contained a backdoor allowing remote access to their entire network," Petronella continues. "We have seen cases where a WordPress plugin used by a local company was compromised in an update, giving attackers the ability to inject malicious code into the company's website and steal customer credit card data. We have seen cases where a cloud storage service used by a medical practice had no encryption and no access controls, putting thousands of patient records at risk of HIPAA violations."

The pattern is consistent: businesses prioritize convenience, cost savings, or speed of deployment over security evaluation, and the consequences are severe. Petronella emphasizes that this is not about avoiding new technology or refusing to use third-party services. It is about implementing a disciplined evaluation process that assesses the security posture of every technology component before it enters your environment.

Critical Warning Signs to Watch For

Craig Petronella identifies several red flags that indicate a software product or service may introduce unacceptable security risk: the vendor cannot provide evidence of a recent third-party security audit; the software requires excessive permissions that are not aligned with its stated functionality; the product has no clear privacy policy or data handling documentation; the service stores data in jurisdictions with weak data protection laws; the vendor has no published incident response plan or breach notification policy; and the software has known unpatched vulnerabilities listed in public databases such as the National Vulnerability Database.

"My advice to every business owner and IT leader in Raleigh, Durham, and the Research Triangle Park is straightforward," Petronella states. "Before you install any new software, subscribe to any new service, or integrate any new component into your technology infrastructure, you need to ask three fundamental questions. First, what data does this tool access, and is that access proportional to its function? Second, what is the vendor's security track record, and can they demonstrate it with evidence? Third, what happens to your data if the vendor is breached, goes offline, or goes out of business? If you cannot get satisfactory answers to all three questions, do not proceed until you can."

Key Risk Areas

Six Dangerous Practices That Expose Your Business

Craig Petronella and the PTG security team have identified six common practices that introduce the most significant cybersecurity risks for businesses across the Triangle NC region.

Unvetted Open-Source Libraries

Open-source software powers a significant portion of modern business applications, but not all open-source libraries are maintained with security as a priority. Abandoned libraries with known vulnerabilities, packages with typosquatted names designed to trick developers into installing malicious code, and dependencies with compromised maintainer accounts are all attack vectors that have been used successfully against businesses in the Triangle region and worldwide. Without a formal software composition analysis process that inventories all open-source components, checks them against vulnerability databases, and monitors them for newly discovered security issues, your applications are built on an unpredictable foundation that attackers know how to exploit systematically.

Free Browser Extensions and Plugins

Browser extensions operate with broad permissions that can include reading all data on every website visited, modifying web page content, accessing cookies and session tokens, and exfiltrating sensitive information to external servers without the user's knowledge. Many popular free browser extensions have been purchased by malicious actors who then push compromised updates to the existing install base, transforming a trusted tool into a surveillance device overnight. Businesses in Raleigh-Durham that do not maintain strict policies governing browser extension installation are exposing their corporate credentials, financial data, customer information, and intellectual property to threats they cannot detect with conventional endpoint protection tools.

Budget SaaS Platforms Without Certification

The proliferation of software-as-a-service platforms has given businesses access to powerful tools at low costs, but not every SaaS provider invests in the security infrastructure necessary to protect the data they are entrusted with. Platforms that lack SOC 2 certification, that cannot demonstrate compliance with relevant regulatory frameworks, that store data without encryption, or that have no defined incident response procedures represent serious risks to any business that stores sensitive data on those platforms. Craig Petronella recommends that businesses in the Triangle NC region require evidence of current security certifications from every SaaS vendor before entrusting them with any business data, regardless of how attractive the pricing may be.

Shadow IT and Unauthorized Tools

Shadow IT refers to the use of software, services, and devices by employees without the knowledge or approval of the IT department. This practice is rampant in organizations of all sizes and introduces uncontrolled risk into the technology environment. When a sales team uses an unauthorized file sharing service, when a marketing department signs up for an unapproved analytics tool, or when an executive downloads a personal VPN on their corporate laptop, the organization loses visibility into where its data is going and what security controls are protecting it. PTG recommends implementing a formal software approval process combined with technical controls that detect and prevent the use of unauthorized applications across your corporate network.

Pirated or Unlicensed Software

The use of pirated or unlicensed software remains a persistent problem, particularly among small businesses trying to reduce costs. Beyond the obvious legal and ethical issues, pirated software is one of the most reliable delivery mechanisms for malware, ransomware, and remote access trojans. Cracked software packages are frequently bundled with hidden malicious code that activates after installation, providing attackers with persistent access to the infected system and every network it connects to. Petronella emphasizes that the short-term cost savings from pirated software are dwarfed by the potential costs of a malware infection, regulatory penalties for unlicensed commercial use, and the reputational damage that follows a breach linked to pirated software usage.

Outdated or Unsupported Software

Running software that has reached end-of-life and no longer receives security updates is one of the most common and most dangerous vulnerabilities that PTG identifies during security assessments of Triangle NC businesses. When a vendor stops releasing patches for a software product, every newly discovered vulnerability in that product becomes a permanent, unfix able security hole. Attackers actively scan for systems running end-of-life software because they know those systems will never be patched. Craig Petronella warns that many businesses in the Raleigh-Durham area are running critical operations on outdated operating systems, web servers, database platforms, and business applications that have not received security updates in years, creating exposure that grows more dangerous with every passing day.

Proven Track Record

Why Businesses Trust Craig Petronella's Cybersecurity Expertise

22+
Years of Security Expertise
2,500+
Companies Protected
0
Client Breaches
1000s
Vulnerabilities Identified

Ready to see what PTG can do for your business? Schedule a free consultation and join the businesses across the Triangle that trust us with their technology.

919-348-4912
Related Resources

Protect Your Business From Software Supply Chain Threats

Learn more about how Petronella Technology Group helps Triangle NC businesses identify and mitigate cybersecurity risks from unvetted software and services.

Free Security Assessment

Request a complimentary cybersecurity assessment to identify unvetted software, shadow IT, and supply chain vulnerabilities in your environment.

Cybersecurity Services

Comprehensive cybersecurity solutions including vulnerability management, penetration testing, and software composition analysis.

Vital Steps Against Computer Thieves

Read Craig Petronella's expert advice on protecting businesses and individuals from cybercriminals and computer theft.

Meet the PTG Team

Get to know the certified security professionals who protect 2,500+ businesses with a strong security track record for clients on our managed program.
Why Petronella Technology Group

Expert Protection Against Software and Service Vulnerabilities

Software Supply Chain Auditing

PTG conducts comprehensive software supply chain audits that identify every third-party component, library, plugin, and service in your technology environment. We assess each component for known vulnerabilities, evaluate vendor security practices, and provide a risk-ranked remediation plan that addresses the most dangerous exposures first. This proactive approach has protected over 2,500 businesses from supply chain attacks for more than 22 years.

Vendor Risk Assessment

Before your business entrusts data to any SaaS platform, cloud service, or third-party provider, PTG can conduct a thorough vendor risk assessment that evaluates the provider's security certifications, data handling practices, incident response capabilities, and compliance posture. This assessment ensures that your vendor relationships do not introduce unacceptable risk into your operations, which is especially critical for businesses in the Raleigh-Durham area subject to HIPAA, PCI-DSS, or other regulatory frameworks.

Shadow IT Discovery and Control

PTG implements comprehensive shadow IT discovery programs that identify unauthorized software, services, and devices operating in your environment without IT oversight. We combine network monitoring tools with policy development and employee education to bring shadow IT under control, reducing your attack surface while providing approved alternatives that meet your team's legitimate business needs without compromising security.

Continuous Vulnerability Monitoring

Cybersecurity is not a one-time assessment; it requires continuous vigilance. PTG provides ongoing vulnerability monitoring that tracks your entire software inventory against newly discovered threats, alerts your team to emerging risks in real time, and ensures that critical patches and updates are applied promptly. This continuous monitoring capability is what enables our strong security track record for clients on our managed program and ensures that the businesses we protect stay secure as the threat landscape evolves daily.

Frequently Asked Questions

Software Security Risks FAQ

What does it mean to beware of using some portions of software?
This refers to the practice of using software components, libraries, plugins, services, or tools without thoroughly evaluating their security posture. Some portions of software may contain vulnerabilities, backdoors, malicious code, or weak security practices that put your business data and infrastructure at risk. Craig Petronella warns that businesses in the Triangle NC area must implement a disciplined evaluation process before introducing any new technology into their environment.
What are supply chain attacks and how do they affect Triangle NC businesses?
Supply chain attacks occur when cybercriminals compromise a widely used software component or service to gain access to the organizations that depend on it. Instead of attacking your business directly, attackers infiltrate a vendor, library, or tool you trust, and use that compromised trust relationship to access your systems and data. Triangle NC businesses are particularly vulnerable because the Research Triangle Park is a technology hub with complex software ecosystems and extensive third-party dependencies.
How can I tell if a software tool or service is safe to use?
Look for evidence of third-party security audits, SOC 2 or ISO 27001 certification, a clear privacy policy, transparent data handling practices, a published incident response plan, and a track record of timely security patching. Check the National Vulnerability Database for known issues with the product. Request documentation of the vendor's security controls before signing any agreement. If a vendor cannot provide satisfactory answers to these inquiries, treat that as a significant red flag and consider alternatives.
Are free software tools and browser extensions dangerous?
Free tools are not inherently dangerous, but they require extra scrutiny. Free software and browser extensions are common vectors for malware, data exfiltration, and unauthorized surveillance because their free pricing model may be subsidized by data collection practices, and they are frequently purchased by malicious actors who push compromised updates. Always evaluate the permissions a free tool requests, review its privacy policy, research its developer reputation, and monitor it for changes in behavior or ownership.
What is shadow IT and why is it a security risk?
Shadow IT refers to software, services, and devices used by employees without the knowledge or approval of the IT department. It is a security risk because unvetted tools may lack proper security controls, create unmonitored pathways for data exfiltration, violate compliance regulations, and expand the organization's attack surface without visibility. PTG helps Raleigh-Durham businesses implement policies and technical controls that bring shadow IT under control while providing approved alternatives for legitimate business needs.
How does PTG help businesses evaluate software security?
Petronella Technology Group provides comprehensive software security evaluation services including software composition analysis, vendor risk assessments, penetration testing, vulnerability scanning, and security architecture reviews. Our team evaluates every component in your technology stack against known vulnerability databases, assesses vendor security practices, and provides actionable recommendations for mitigating identified risks. This service is available as part of our managed security offerings or as a standalone engagement.
What should I do if I discover we are using unvetted software?
If you discover unvetted software in your environment, do not panic, but do act quickly. First, inventory all unvetted tools and identify what data they access. Second, check those tools against known vulnerability databases. Third, assess whether any sensitive data has been exposed. Fourth, develop a remediation plan that either secures, replaces, or removes the unvetted tools. Contact PTG at 919-348-4912 for an expert assessment if you need professional guidance through this process.
How often should we audit our software and third-party services?
Craig Petronella recommends conducting a comprehensive software and vendor audit at least annually, with continuous monitoring in between audits for newly discovered vulnerabilities. High-risk environments such as healthcare, financial services, and government contracting organizations should consider quarterly audits. Additionally, any time a new software component or service is introduced, it should undergo a security evaluation before deployment regardless of the audit cycle.
Does this apply to cloud services and SaaS platforms too?
Absolutely. Cloud services and SaaS platforms are among the most common sources of unvetted technology risk. When you store your data on a third-party cloud platform, you are trusting that provider with the security of your information. If that provider has weak security controls, inadequate encryption, or poor access management practices, your data is at risk regardless of how strong your own internal security measures are. Every cloud service and SaaS subscription should undergo vendor risk assessment before onboarding.
Can PTG help if we have already experienced a breach from unvetted software?
Yes. Petronella Technology Group provides incident response services for businesses that have experienced security breaches, including breaches traced to unvetted software or compromised supply chains. Our incident response team can contain the breach, investigate the scope of compromise, preserve forensic evidence, assist with regulatory notification requirements, and develop a comprehensive remediation plan to prevent recurrence. Contact us immediately at 919-348-4912 if you suspect an active breach.
Protect Your Business Today

Do Not Wait for a Breach to Discover Your Blind Spots

Every unvetted software component and unsecured service in your environment is a potential entry point for attackers. Petronella Technology Group has protected over 2,500 businesses for more than 22 years with zero breaches among clients following our security program. Let our experts evaluate your software supply chain, identify hidden vulnerabilities, and build a security strategy that keeps your Raleigh-Durham business protected. Request your free cybersecurity assessment today or call us directly for immediate expert guidance.

Ready to get started? Call us at 919-348-4912 or contact us online for a free consultation.