In order to keep up with the need for applications, companies are purchasing software at an accelerated rate. And if you are like most companies, your processes for vetting the security of your software is probably not very sophisticated. Most companies rely on questionnaires or even just a wink and a nod from the vendor’s account manager.
Companies that recognize the risk introduced from vendor applications implement third-party application security programs. But even though vendor application security testing programs can significantly reduce risk, they can bring with them their own set of logistical dilemmas. That’s why it is best to work with a trusted advisor who has processes for creating these types of programs.
One thing your advisor will tell you is that working with your legal department in crafting your program is an absolute necessity. Your legal department will help you craft language to make sure your vendor contracts are consistent with the security policies you want to enact. They will also evaluate whether your security demands are reasonable and legal.
Working with the legal department will ensure legal compliance and consistency exists among your various suppliers and partners as well as your internal teams. We all know that the days of a centralized IT buying center are long gone. The democratization of IT means that anyone, in any department and at any time can purchase software to make their job more efficient. However, if you make contract reviews by the legal team part of the procurement processes, or PO process, then the legal team becomes your ally in controlling the flow of insecure software that makes its way into your environment.
Unlike other teams in your organization, working with legal is rather straightforward, and poses few (if any) hurdles. Legal teams understand the concept of risk reduction and liability. They understand that if you are breached due to a third-party application, it is still the name of your company in the news. So, you won’t have to do much in the way of convincing your legal team that a vendor application security testing program is necessary.
What you will have to do is help them understand best practices for these types of programs, and then iterate your program design based on their feedback.
By working with the legal team, you are creating a winning combination for a strong program that is consistently applied across your organization. Find out more with our guide, Cracking the Code on Application Security Buy-In.