Ok, so you did everything right… you sent your vendor a Standard Information Gathering (SIG) scoped based on data and service type, you analyzed the responses, decided to perform an on-site assessment using the Agreed Upon Procedure (AUP), and helped identify security gaps that needed to be addressed. Everything seemed to be aligned with your risk management process and you were seeing progress… but then your vendor’s core software got breached and your customer data was exposed. You hadn’t focused heavily on the software security since this wasn’t generally in your purview and the basic information you had received back from the SIG seemed to indicate appropriate security controls were in place. You started wondering what had gone wrong and what you could have done differently.
Over the course of the last year, the Shared Assessment SIG Committee asked the same question. How can the SIG help you better understand a vendor’s software development security lifecycle with more dedicated software security questions? How could you, as a security and/or risk generalist get information to inform whether further assessment is necessary without having an advanced degree in application development?
As part of its effort, the SIG Committee formed a software security sub-committee made up of the leaders in software security including Veracode, Cigital, JP Morgan Chase, The Clearing House, and others to identify the relevant questions necessary to understand a 3rd party’s application security maturity. The goal was to offer SIG users a more in-depth view without creating a separate tool or going as deep as a vBSIMM or an actual code review (like those that are available from Cigital and Veracode); both recommended to help get more visibility into vendor development maturity and reduce risk.
The goal was to develop real-world questions in use at these top firms today, in-line with the SIG format, that could be leveraged by the rest of the membership.
The results of this effort are part of the SIG 2014 Software Security tab and represent a great step forward in helping to reduce what is one of the most challenging aspects of 3rd party risk management. The Software Security tab builds upon other SIG content to further highlight vendors that provide software as part of their offerings. I hope you will incorporate the new tab as part of your process and we would love feedback from members on whether this has been helpful in improving visibility and reducing application security risk. I would also like to thank everyone who participated in making the new tab a reality.