software security


Ok, so you did everything right… you sent your vendor a Standard Information Gathering (SIG) scoped based on data and service type, you analyzed the responses, decided to perform an on-site assessment using the Agreed Upon Procedure (AUP), and helped identify security gaps that needed to be addressed. Everything seemed to be aligned with your risk management process and you were seeing progress… but then your vendor’s core software got breached and your customer data was exposed. You hadn’t focused heavily on the software security since this wasn’t generally in your purview and the basic information you had received back from the SIG seemed to indicate appropriate security controls were in place. You started wondering what had gone wrong and what you could have done differently.