Way back in April, Securosis published a whitepaper “Building a Vendor (IT) Risk Management Program. While the paper is informative and practical – do you know what is noticeably missing? Information on how to manage the risk that comes with using vendor applications. This is surprising because Securosis frequently writes about the importance of application security.
Companies are relying on software like never before, and breaches are hurting companies. Look at JPMC and Target – both were victims of massive breaches where vendor applications played a critical part in the breach kill chain. How, then, can one think about vendor (IT) risk management program and not consider the risk introduced by the vendor’s applications?
It is easy to forget that third-party applications can be just as vulnerable as the applications companies build for themselves. The Veracode State of Software Security volume 6 report found that 3 out of 4 applications produced by software vendors fail to meet OWASP Top 10 standards. With numbers like that, companies need to stop and consider how augmenting their own development activities to keep up with innovation is impacting their risk.
In no other industry is there such a lack of transparency as in the software industry. When you buy a car you can research safety ratings and features. Real Estate agents are required by law to disclose any known flaws with a property you are looking to purchase. But with software you are buying blind – putting faith in the software vendor that they practice secure coding and that they test for vulnerabilities. Unfortunately, vulnerabilities are there: Veracode’s report also found that 70 percent of applications have at least one vulnerability upon first scan. That stat is just as true for applications produced by software companies as it is for companies producing software for their own use.
This is why software purchasers must demand security attestation for the software they are purchasing. Software companies are not going to simply offer this information if no one is asking. And asking is the only way to fully manage vendor IT risk.