The CA Veracode Vendor Application Security Testing (VAST) program has won the Financial World Innovation Awards in recognition for its ability to deliver a solution to the complex problem of third party application security in the category of “Technology Vendors - Most Innovative Financial Services Solution”.
As financial services are driven to grow and expand, they are turning to third parties to provide the software that allows their employees to be more productive, and enables the enterprise to get to market faster. However, these mobile, SaaS, and outsourced applications have not received the strict security scrutiny common with internally software development.
The current approach to managing this third party software risk is through a security attestation form complemented by a penetration test for the most business-critical applications. This approached requires trust that the attestation is accurate without any proof of software security except for those few critical systems which – time and budget permitting – receive further inspection. This blatantly violates the “Trust But Verify” security standard.
What if all financial services could ensure the security of their entire software portfolio, including third party applications, cheaply and efficiently? CA Veracode’s VAST program delivers exactly that.
In response to this third-party application security issue, CA Veracode developed a program to scan and attest to the security of an enterprise’s software supply chain. The VAST program enables enterprises to verify vendor assessments and better understand as well as reduce the security risks associated with the use of third party software, whether it is open-source, outsourced, or commercial off the shelf (COTS). The VAST Program strengthens vendor compliance with an enterprise’s security policy and reduces overall security risk to the organization. This is the industry’s first comprehensive vendor application security compliance program – a core component of sound governance, risk management, IT vendor management and regulatory efforts.
CA Veracode is honored by this award. This recognition coupled with the acknowledgement of the VAST Program in the FS-ISAC Third Party Software Security Working Group whitepaper “Appropriate Software Security Control Types for Third Party Service and Product Providers” further validates CA Veracode’s unique approach to the intractable problem of third party software security.