Compliance. As with standards, the concept rests firmly between "must do" and "maddening" for businesses and the companies that develop software for them. As the software supply chain become more complex, the lists of requirements and regulations an app must abide by gets longer and longer — complicating the otherwise simple act of following the rules.
No matter the industry or the software being served, third-party compliance is a big, big deal these days. However, despite the recent press focusing on this subject and even with widespread adoption of similar standards, only 10 percent of third-party apps are considered compliant with enterprise security standards. That's a major issue in a software world where businesses are every bit as responsible for purchased applications as those they develop themselves.
To put all this another way, passing the buck and pointing fingers won't work when it comes to third-party compliance.
Let's take a step back from the industry-specific stuff for a second and talk about the people most industries exist to serve in the first place: individual consumers.
Though they're obviously different in their end goals, the healthcare and finance industries are great starting points. Whether an application is designed to help customers/patients or the companies serving them, there's a good chance it needs to access sensitive, valuable data, making it an automatic target for would-be attackers.
In fact, it's that data's value that makes an end-business accountable in the event of a breach. When someone's medical or financial data is improperly accessed, she or he isn't going to be speaking to the third-party vendor that produced the faulty code, but instead will be upset with the company she or he employed in the first place. A breach is a breach is a breach. Blame means nothing when data's compromised. It's all about the results, be they positive or negative.
The trick to negating third-party compliance issues? Believe it or not, bringing another company into the fold.
Whether you're talking first- or third-party products, security is an industry in and of itself these days. Bringing an expert in early is often far less expensive than keeping security experts on staff or paying outsiders for penetration testing toward the end of development. This expert will also keep everyone honest from the onset: He or she will help you tailor a security plan to suit the needs of your individual industry or business as well as negate third-party compliance issues by playing the watchdog role for you throughout the development cycle. And it doesn't get much earlier than the beginning days of a product's life cycle, when you're deciding on exactly whom you should hire in the first place. Vendor surveys and self-attestations are nice; letting a security expert help you define the rules and pick the right third party to suit your needs is a whole lot better.
Whether you're worried about public relations, negative consequences from overseeing entities or the wrath of customers themselves, third-party vendors need to be held to the same security standards you'd apply to a first-party application. Being part of that aforementioned 10 percent is beyond crucial — and it gets exponentially more important the more sensitive the data you're handling.
Whatever you're doing to ensure your third-party vendors keep your software up to snuff, make sure you're doing something. When the alternative involves loss of money, time and reputation, it only makes sense – and that makes bringing experts in early the most sensible move of all.
Photo Source: Wikimedia Commons