We recently hosted a webinar featuring Chenxi Wang of Forrester Research Inc and Chad Holmes of CA Veracode that discussed how enterprises can better understand and reduce security risks associated with using vendor-supplied software. This blog post will highlight the key takeaways of the webinar. The webinar begins with Chenxi detailing the proliferation of third-party software use by enterprises today. Nearly all businesses can now be viewed as “extended enterprises,” that is, enterprises that employ multitudes of software and applications across different devices and different user populations. On top of that, there is a huge variety of third-party software that businesses use, including:
Unfortunately, this widespread growth and adoption of third-party apps for enterprises comes with an increase in security risks facing enterprises. There are a few questions that AppSec teams should be asking themselves when it comes to third-party application security:
The good news is that enterprises are beginning to recognize and address these risks. Chenxi provides data from a 2011 Forrester survey to show that 48% of enterprises ranked implementing security requirements with business partners/third parties as critical or high priority (11% responded “critical,” 37% responded “high”). However, while many enterprises emphasized the importance of establishing security requirements for third parties, far fewer enterprises are actively implementing third-party security measures. According to 2012 surveys from PWC, only 23.6% of enterprises require that third parties comply with specific security policies while only 26% conduct compliance audits of third parties. Chenxi concludes her presentation with recommendations for mitigating third-party risks:
Following Chenxi’s presentation, Chad weighs in with insight from third party analysis conducted by CA Veracode. He begins by stressing that every enterprise has unique security needs. Enterprises should take a few steps to ensure that they understand and can address their own security needs. This begins with accepting that every enterprise (purchaser or vendor) is responsible for deploying secure software. Additionally, enterprises and vendors need to know the stakeholders in this process. For enterprises, it is important to know who is actually producing the software they are purchasing. For vendors, it is important to know whom software is being produced for and the needs of these consumers. Chad concludes the webinar with a few recommendations of his own. He offers two guiding principles for mitigating risk with third-party software. First off, enterprises have all the leverage in the enterprise/vendor relationship. Second, basic project management is critical to success when sourcing secure software from third parties. These two principles lay the foundation for Chad’s five best practices for enterprises and vendors engaged in the application analysis and remediation process:
Watch the full webinar here for CA Veracode third party data, case studies, presentation slides, and more.