Businesses run on software; it gives us the features and functions needed to make our teams productive. However, this time-saving software introduces risk into the organization. Too frequently, we are excited by the product and choose to trust that security has been addressed during the development of this software, without any proof that secure development practices were followed. As a result, large organizations may end up running software that accesses their critical data and systems without a true understanding of what vulnerabilities are introduced by those third-party applications. How can enterprises ensure the software they purchase is secure? Veracode awards our VerAfied mark to those software producers that have taken appropriate steps to remove vulnerabilities in their software or to comply with respected industry standards such as the OWASP Top 10 or the CWE/SANS Top 25 Most Dangerous Software Errors. Enterprises can go a step further and take a proactive approach to addressing the security of all their third-party software. Recently, the FS-ISAC Third-Party Software Security working group addressed this issue with the Whitepaper: Appropriate Software Security Control Types for Third-Party Service and Product Providers. We believe all enterprises should ask their third party software suppliers, “Where is the Risk”? If an enterprise’s software provider cannot discuss the steps they take to secure their software, they aren’t doing enough.
Infographic by Veracode Application Security