Businesses run on software; it gives us the features and functions needed to make our teams more productive. However, using third party applications - that software that was developed by external parties - with no oversight for what secure development practices are observed can lead to a false sense of security.
It is increasingly critical that organizations understand the risk associated with sharing data with third parties; however few organizations take this step. According to PWC’s Global State of Information Security Survey, only 20% of organizations evaluate the security of third parties with which they share data or network access more than once a year.
This trend of ignoring the risk posed by third parties cannot continue.
For this reason, the FS-ISAC Product & Services Committee asked several member firms to form the Third Party Software Security Working Group to determine what additional software security control types would be appropriate to add to vendor governance programs. The Third Party Software Security Working Group was established with a mandate to analyze control options and develop specific recommendations on control types for member firms to consider adding to their vendor governance programs.
The Working Group, which includes representatives from Morgan Stanley, Aetna, Thomson Reuters, Citi, Capital One, and Goldman Sachs (among many others) have published their recommendations in the paper, “Appropriate Software Security Control Types for Third Party Service and Product Providers.”
We at Veracode are happy to see this issue is gaining attention across the industry and laud the efforts of these information security leaders for taking the lead in addressing this issue.