Skip to main content
March 16, 2016

How the Legal Department Can Improve Your Vendor Application Security Program

In order to keep up with the need for applications, companies are purchasing software at an accelerated rate. And if you are like most companies, your processes for vetting the security of your software is probably not very sophisticated. Most companies rely on questionnaires or even just a wink and a nod from the vendor’s account manager.

Companies that recognize the risk introduced from vendor applications implement third-party application security programs. But even though vendor application security testing programs can significantly reduce risk, they can bring with them their own set of logistical dilemmas. That’s why it is best to work with a trusted advisor who has processes for creating these types of programs.  

Getting legal on your team

One thing your advisor will tell you is that working with your legal department in crafting your program is an absolute necessity. Your legal department will help you craft language to make sure your vendor contracts are consistent with the security policies you want to enact. They will also evaluate whether your security demands are reasonable and legal. 

Creating consistency

Working with the legal department will ensure legal compliance and consistency exists among your various suppliers and partners as well as your internal teams. We all know that the days of a centralized IT buying center are long gone. The democratization of IT means that anyone, in any department and at any time can purchase software to make their job more efficient. However, if you make contract reviews by the legal team part of the procurement processes, or PO process, then the legal team becomes your ally in controlling the flow of insecure software that makes its way into your environment.

A winning combination

Unlike other teams in your organization, working with legal is rather straightforward, and poses few (if any) hurdles. Legal teams understand the concept of risk reduction and liability. They understand that if you are breached due to a third-party application, it is still the name of your company in the news. So, you won’t have to do much in the way of convincing your legal team that a vendor application security testing program is necessary.

What you will have to do is help them understand best practices for these types of programs, and then iterate your program design based on their feedback.

By working with the legal team, you are creating a winning combination for a strong program that is consistently applied across your organization. Find out more with our guide, Cracking the Code on Application Security Buy-In.

Jessica is part of the content team at Veracode. In this role she strives to create and promote content that will engage, educate and inspire security professionals around the topic of application security. Jessica’s involvement with the security industry goes back more than a decade at companies like Astaro, and Sophos where she held roles in corporate communication and marketing.

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.