Software Vendors and Enterprises Discuss Best Practices for Addressing Third-Party Software Risk at FS-ISAC Spring Summit

Executives from Aetna, Boeing, Veracode, Microsoft and EMC look for common ground for reducing enterprise risk 


BURLINGTON, Mass. - May 7, 2014 Veracode, the application security company, today announced that Chris Wysopal, co-founder and CTO of Veracode will lead a panel discussion on third-party risk during the FS-ISAC Spring summit on Wednesday, May 7th from 11:00 a.m. to 12:00 p.m.  The panel — which includes security executives from Boeing, Microsoft, EMC and Aetna — will focus on best practices for securing the third-party software perimeter. 

The security of third-party and open source software is an important issue facing financial services institutions. This spurred FS-ISAC to publish the “Appropriate Software Security Control Types for Third-Party Service and Product Providers” whitepaper. The FS-ISAC whitepaper states that as enterprises are getting better at defending traditional network perimeters, attackers are now targeting the software supply chain. 

Despite the need to secure the software supply chain, conflicting opinions exist regarding how to assess the security of third-party software used by financial services and other firms. Chris Wysopal will lead a panel of security executives from major software vendors and enterprises as they attempt to find common ground on the best approach for reducing enterprise risk from third-party software.

“Enterprises increasingly rely on of third-party applications and components to get to market faster with new cloud and mobile applications. Some software vendors have suggested that there are other ways of addressing third-party risk outside the three controls outlined in the FS-ISAC whitepaper,” said Ed Jennings, CMO, Veracode. “However, enterprises are spending billions on software with major vendors and need to ensure the software they are purchasing isn’t introducing unnecessary risk. The FS-ISAC Spring Summit panel will provide a forum for software vendors and enterprises to discuss how the financial services industry can address this important issue.”

The Veracode Vendor Application Security Testing (VAST) program enables enterprises to reduce the risks associated with the use of third-party software — whether it is open source, outsourced, SaaS or commercial off-the-shelf — by attesting to the security of this externally developed software. As part of the VAST program, Veracode manages the vendor assessment process, works with vendors to identify and mitigate application threats using its cloud-based platform, and enables vendors to comply with their customers’ corporate security policies.  With Veracode addressing software supply chain security, enterprises can safely leverage third-party software to enable innovation and gain faster time to market. 

To read the full whitepaper visit: