Driving innovation to market usually means trusting the resilience of third-party software. The VAST program leaves less to chance. It baselines the risk posed by your third-party applications and components — and then works directly with your vendors to ensure your software supply chain is in compliance with your corporate policies.
If you’re like most businesses, more than two-thirds of your enterprise software portfolio — including commercial and outsourced applications, SaaS, third-party libraries and open source code — is provided by third-parties.
Source: Quocirca survey of 100 Global 2000 organizations
Problem is, only 10% of third-party applications are compliant with enterprise security standards such as the OWASP Top 10.*
As a result of the large and growing footprint of third-party software in the enterprise, regulatory bodies such as the OCC and industry organizations such as FS-ISAC, OWASP, NIST and the PCI Security Standards Council are now placing increased focus on controls to mitigate the risks introduced by third-party software. Clearly, relying solely on vendor surveys and self-attestations is no longer sufficient to address these risks.
With our Vendor Application Security Testing (VAST) program, you outsource both third-party vendor management and security testing of third-party applications to us. Our cloud-based platform for binary static analysis technology, unique in the industry, allows ISVs and other software developers to rapidly upload and test their compiled code, without exposing their intellectual property in the form of source code or requiring them to hire consultants or install legacy scanning tools.
Plus you’ll benefit from our experience working with more than 1,000 software vendors to date.
How VAST Works
To help enterprises better understand and reduce the security risks associated with the use of third-party software, the VAST program consists of three stages:
We work with you to formulate a third-party compliance policy and acceptance criteria, based on best practices and your corporate security policies around business criticality and risk.
We offer guidance for the creation of non-compliance penalties and escalation procedures for third-parties.
We assist you in assembling lists of vendors and applications for the program.
We provide standard templates for communicating with third-parties about the requirement to be assessed by an independent organization, typically signed by a senior executive in vendor management or procurement, security and/or IT.
Third-party uploads binaries to our security platform.
We analyze applications for vulnerabilities, based on the enterprise’s security policy.
We publish summary report to all stakeholders via our cloud-based platform.
If necessary, the software provider remediates or mitigates vulnerabilities with assistance from our security experts.
The remediated application is then re-tested to meet enterprise security policy.
We alert stakeholders when vendor-supplied software is compliant with your corporate policy.
Some enterprises allow software suppliers to submit their own attestations based on their internal testing results. These attestations are also collected and published to stakeholders via our cloud-based platform.
* State of Software Security Report (Vol. 5)