Best Practices for Secure Procurement

Enterprises face an uphill battle in controlling security risks across their extended software supply chain. Identifying, controlling and reducing the unbounded risk and capital requirements currently absorbed by organizations resulting from insecure software are critical. Veracode recommends six key steps which can help you implement a secure procurement strategy for commercial off-the-shelf (COTS) applications.

1. Determine Applications' Business Criticality

The business criticality of a specific application type is an important component in obtaining a clear security risk profile for your entire application portfolio. The business criticality should be based on six core potential impact dimensions including a.) inconvenience, distress or damage to standing or reputation; b.) financial loss or agency liability; c.) harm to organization programs or stakeholders; d.) unauthorized release of sensitive information; e.) personal safety and f.) civil or criminal violations. Download a worksheet to determine the business criticality of your applications…

2. Embed Security Requirements Within Your RFPs and Vendor Contracts

RFPs for software purchases usually emphasize features, quality, costs, vendor viability and preferred status as the core criteria for selection. Organizations need to be proactive in creating demand for secure software by moving to a secure procurement governance model that institutionalizes security into the procurement process, including vendor selection and contract negotiation. Download sample contract language that you can embed in your RFPs…

3. Obtain an Independent, Trusted Software Security Assessment

Until now, a true testing of third-party software has been nearly impossible due to the inability to access source code and the high cost and effort required to conduct manual code reviews. Veracode provides an independent rating for software security risk based on its automated, on-demand service that allows Veracode to analyze 100 % of third-party code without requiring access to source code or infringing upon any intellectual property of the software vendor.

4. Set Security Thresholds for Commercial Off-The-Shelf (COTS) Software

In order to quantify unbounded risk and institute compensating controls you need to determine acceptable levels of risk within your organization for each assurance level and application type and class. Enterprises can leverage software security ratings to decide which applications are secure enough to be purchased or deployed and which third-party applications need remediation by the vendor before software acceptance.

5. Leverage the Power of the Community to Create Demand for Secure Software From Vendors

Collaborate with your industry peers to implement application security benchmarks for specific verticals or business segments. These benchmarks will encourage the vendor community to embed security into their software development life cycles and to get formal security ratings for their applications. Vendors willing to embrace security will benefit by leveraging software security ratings as a market differentiator.

6. Purchase Software Only From Vendors That Have Obtained Security Verification

Vendors are realizing that security is becoming a key criteria in the selection process and as such are beginning to market the security features of their products. As part of their selection process, enterprise vendor management should ensure that they purchase software only from vendors that have been formally validated by an independent quality seal of approval such as Veracode’s “VerAfied by Veracode” assurance program.