Power to the People and the Coming AppSec Revolution

When the revolution comes, the first up against the firewall will be your business partners – along with every other third-party that provides you with software.

It used to be that you could call for more secure software from individual vendors – and Microsoft heeded that call, for example with its push for trustworthy computing, starting in 2002 – but today we’re more dependent on software than ever, and more interconnected than ever; we rise and fall by the security of our associates. The sheer number and variety of third-party applications have exploded: with on-premise software, mobile devices, and cloud-based services, a large organization can have tens of thousands of applications in use.

So organizations can’t focus on one or two providers, or address software security only within their own development efforts; they need to do it across the board. Initiatives such as Build Security In are taking acquisition into account, and supply chain security is being discussed at all levels in both the public and private sectors.

Now, it’s not too practical to take some commercial software off the shelf at Best Buy and tell the cashier that you’re not going to buy it unless it’s secure. But you can certainly start fomenting revolution by including security requirements in every RFP, statement of work and other contracts that you sign with third parties. This means that you need to start out by deciding how secure you want your software to be, and how you’ll measure that security. Here are some things you’ll want to include in the contract language:

  • How you will measure the level of security you expect from the software you receive
  • Who will provide those measurements – in other words, who will do the testing, and how often
  • Who is responsible for fixing anything that doesn’t measure up to your requirements
  • Who will bear the cost of those fixes, and how quickly they’ll be done
  • What will happen if something isn’t fixed – whether you can reject a deliverable, terminate the contract, or choose to sign off on the risk

I am not a lawyer, so I’m not about to give you legal language to use. But I can tell you that organizations have successfully included these issues in contracts – and as noted in Veracode’s latest State of Software Security Report, those that had a formal process for requiring software testing across the board had nearly ten times the participation from their vendors than in organizations that just requested it piecemeal.

Available Now

State of Software Security Report: Vendor Software Security Analysis

With vendor software containing dangerous security flaws, we examine the state of enterprise programs for testing vendor software.

via Power to the People and the Coming AppSec Revolution.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of the author. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided "as-is". The author shall not be liable for any damages whatsoever arising out of the content or use of this blog.
%d bloggers like this: