Businesses run on software; it gives us the features and functions needed to make our teams more productive. However, using third party applications - that software that was developed by external parties - with no oversight for what secure development practices are observed can lead to a false sense of security.

It is increasingly critical that organizations understand the risk associated with sharing data with third parties; however few organizations take this step. According to PWC’s Global State of Information Security Survey, only 20% of organizations evaluate the security of third parties with which they share data or network access more than once a year.

This trend of ignoring the risk posed by third parties cannot continue.

For this reason, the FS-ISAC Product & Services Committee asked several member firms to form the Third Party Software Security Working Group to determine what additional software security control types would be appropriate to add to vendor governance programs. The Third Party Software Security Working Group was established with a mandate to analyze control options and develop specific recommendations on control types for member firms to consider adding to their vendor governance programs.

The Working Group, which includes representatives from Morgan Stanley, Aetna, Thomson Reuters, Citi, Capital One, and Goldman Sachs (among many others) have published their recommendations in the paper, “Appropriate Software Security Control Types for Third Party Service and Product Providers.”

We at Veracode are happy to see this issue is gaining attention across the industry and laud the efforts of these information security leaders for taking the lead in addressing this issue.

Working group members

About Anne Nielsen

Senior Product Manager for Veracode’s IT Supply Chain product line. Anne works with Veracode’s enterprise customers to reduce the risk from their third-party applications, frameworks and components. She also works with Independent Software Vendors (ISVs) to ensure they meet corporate security policies for their enterprise customers, based on minimum acceptable levels of risk.

Comments (2)

Umair | December 18, 2013 1:53 am

How Veracode helps to check third party applications ?? as there is no Binaries and source code available at customer end.

anielsen | December 18, 2013 4:49 pm

Veracode works with the enterprise to understand the software suppliers leveraged at the company, then works directly with those software suppliers to scan their products and provide third party software security attestation to the enterprise.

I am happy to discuss this with you further ( if you have any additional questions.

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.