During discussions in 2013 to determine the next risk areas that should be addressed by the Shared Assessments Program Tools, the focus rapidly turned to software security. As we polled our members we found that many of them were concerned with the security of the software being provided by their vendors, and more importantly what could they do to determine if the software was developed and maintained in a secure environment.
The issues to be addressed by the 2014 version of the Program Tools were prioritized by the Shared Assessments Steering Committee based on the recommendations of the SIG Working Group. A subcommittee was then formed to bring together secure software development industry experts from member organizations, in addition to knowledge experts from Veracode and Cigital to round out the risk professionals who addressed the issue.
The first item addressed by the subcommittee was what were the key questions to ask in assessing the strength of a third party’s Software Development Life Cycle (SDLC). The assessment performed by the Shared Assessments’ Program Tools should be thorough and effective, but should not try and replicate a comprehensive assessment of the type performed by Veracode and Cigital. Keeping their focus on the need to balance effectiveness with efficiency the subcommittee began their work in the spring of 2013.
Using vBSMM as a framework, the subcommittee tackled the second major issue – how to perform the assessment. What evolved as the key feature of assessing a third party’s SDLC environment is focusing on the security of the process used to develop and maintain software. Process areas which are investigated as part of the assessment range from the components of the third party’s SDLC policy to the frequency of code review, penetration testing and the management of post-production issues. These questions formed the basis of the full assessment of a third party’s software security that was proposed by the subcommittee as a new risk area (tab) for the 2014 SIG. The proposed additions to the SIG were then reviewed and approved by the full SIG Working Group and the Shared Assessments Steering Committee for inclusion in the SIG for 2014.
Recent threat reports underscore the importance of including software security in your third party assessment program. Symantec’s 2014 Internet Threat Report, revealed that web site containing vulnerabilities grew from 53% to 78% from 2012 to 2013. Even more troubling is the recent findings of Veracode who determined that 90% of the policies they have reviewed were not in compliance with OWASP top 10.
The inclusion of a thorough approach to determining the security of a third party’s software security environment is another example of the Shared Assessments efforts to keep its Program Tools on the leading edge identifying and managing third party risks.
Santa Fe Group Consultant and Shared Assessments Program Director, Brad Keller, has more than 25 years of experience developing and leading risk management and third-party risk assessment programs. Brad is responsible for the development of the Shared Assessments Program’s Tools and key partnerships. Follow Brad on Twitter at @sfgbrad or on LinkedIn.