Vendor ManagementVendor Management and Software SecurityAs business processes have changed, the threat landscape has adapted with it and today over 75% of all attacks are focused at the application layer according to Garnter. Enterprise vendor management faces an uphill battle in controlling security risks across their extended software supply chain. Organizations realize that that identifying and reducing the unbounded risk and capital requirements currently absorbed by their organizations resulting from insecure software is critical. Vendor management plays a key role in creating a secure software procurement strategy for commercial off-the-shelf (COTS) software. Simply put, the best defense and easiest way to reduce application security risks from software is to not let those very risks enter the organization from the outset. Vendor Management: Embed Security Requirements Within Your RFPs and Vendor ContractsRFPs and software contracts usually emphasize features, quality, costs, vendor viability and preferred status as the core criteria for selection. Vendor management needs to be proactive in creating demand for secure software by moving to a secure procurement governance model that institutionalizes security into the software procurement process, including vendor selection and contract negotiation. Vendor management should require that all commercial software be independently tested for security vulnerabilities by embedding security requirements into both the RFP and purchasing contract. Download sample contract language that you can embed in your RFPs… Simplify Vendor Management to Reduce Software Security RisksVeracode SecurityReview aids vendor management by providing a single point of collaboration for globally dispersed security and procurement teams to review and remediate security vulnerabilities in software. As an on-demand service, Veracode can be easily be integrated into the the software procurement, acceptance and vendor management processes. Test results are delivered in a Fix-First Analysis, prioritized both by threats with the highest risk and threats that can be most easily fixed. This improves management of the remediation process and allows software vendors and IT security personnel to optimize their time in fixing vulnerabilities. |
