It's no secret that third-party vendors are the backbone of software development. Positions are being created at a record pace while the roles behind them continue to drill down into more specific duties. Just throw in the scores of non-tech businesses continually uncovering critical software needs, and you have an industry in which outsourcing becomes less of a possibility and more of a self-fulfilling prophecy.
Third-party risk management can reduce the risk a company assumes in dealing with third-party vendors. Where this might have been a luxury before, the sheer prominence of outsourced vendors across multiple software markets means effective risk management saves time and money, all while promoting better security — two benefits that quickly become invaluable regardless of the organization's end goals.
Dealing with third-party vendors instead of producing all code in-house has a number of obvious advantages, and most of them are driven by ever-present time-to-market concerns. Whether you're commissioning a custom chunk of your end product or buying ready-made components that suit your needs, there's a good chance a ticking clock is looming over your head.
In a perfect world, this "LEGO-like" assembly method would come with no trade-offs. The third-party developers you hired would turn in their work on time, on budget and to specification, and the ready-made pieces would click into place as though your devs had written them themselves.
The reality is different, and it all comes down to management. In the best case, dealing with code errors and larger, more conceptual problems in a vendor's code takes time and effort. More realistically, paying to test and retest work to make sure it's up to spec is a costly, frustrating misadventure. And that's assuming manual testing or on-site, vendor-supplied testing tools catch any errors before attackers do.
Proprietary issues centering on source code and access to that code also present serious issues when testing a third-party product. Once again, this is a problem that touches both custom-developed code and ready-made packages. Often, you're only able to test submitted builds manually, or with testing tools designed by the company producing the code.
If there's a common thread among all these downfalls, it's the disconnect between companies and the third parties they appoint. While you can coach your own devs and check your own source code, third parties have their own ways of doing things, not to mention a vested interest in keeping their proprietary work to themselves.
Good third-party risk management services don't just exist in the gap between hiring company and vendor — they mitigate the unpleasant parts of outsourcing by handling third-party vendors directly.
Take testing and remediation. Instead of the on-site tools and manual tests mentioned earlier in this post, Veracode uses a cloud-based platform. This offers a number of benefits: The system is automated, meaning off-site hardware catches errors instead of costly human eyes. Subsequent testing is also cloud-based and on-demand, giving all your vendors a consistent source for remediation and ensuring future submissions fall under the same proverbial umbrella.
That same automated system also allows for in-depth testing without looking directly at a vendor's source code. By checking a given vendor's submissions via cloud-based hardware, you get better, more thorough results faster than manual testers can provide, thus saving time, money and effort.
Specialization plays a key role here, too. Since third-party risk management is what Veracode does, you get dedicated expertise instead of an ad-hoc, jack-of-all-trades approach to security.
Automation and continuity are pillars of effective development these days. Bringing them to your third-party vendors is a smart move; having a dedicated team of security experts to smooth the transition and future interactions ensures consistency from beginning to end.
To some degree, companies put up with discrepancies between their developers and third-party vendors because the benefits outweigh the irritations and costs. While the approach makes sense, taking the next step (and thus knocking out a lot of those irritations while decreasing costs) makes even more.
At the very least, make sure you're giving third-party risk management due consideration, especially if your organization spends a lot of time dealing with outside vendors. Whether "efficiency" means more time, more money, a more secure product or all three, reaching out to an expert can be the first step toward getting there.
Photo Source: Flickr