Businesses run on software; it gives us the features and functions needed to make our teams more productive. In order to get those features and functions, we turn to third party software suppliers for the latest and greatest. However, these software suppliers that produce these nifty applications need to apply the same software security measures enterprises use for their internal software development. Unfortunately, too few enterprises have taken the steps necessary to understand the approach these software suppliers are taking for software security.
In an effort to address this issue, a group of leading banks, insurance, and mortgage companies including Morgan Stanley, Citi, Goldman Sachs, RBS Citizens, Thomson Reuters, Aetna, and many others have proposed controls types which enterprises can integrate into their vendor governance program to better understand the security of their vendor-supplied software. To learn more about these control types, download the whitepaper, “Appropriate Software Security Control Types for Third Party Service and Product Providers.”
In the below video, Jim Routh, CISO of Aetna and a member of the group that designed these recommendations, describes why this issue needs to be addressed and discusses the intend and purpose for each of the three controls.
For more commentary and critical analysis of the controls proposed by FS-ISAC by Jim Routh, Wendy Nather, and Chris Wysopal register here.