Appropriate Software Security Control Types for Third-Party Service and Product Providers
According to PwC, detected security incidents have increased 25 percent this year, while the average financial costs of incidents are up 18 percent. However, only 20 percent of organizations evaluate the security of third parties, with which they share data or network access, more than once a year.
What You Will Learn:
It is increasingly critical that organizations understand the risk associated with sharing data with third parties. This independent paper from the FS-ISAC Third Party Software Security Working Group (whose members include leaders from Morgan Stanley, Citi, Goldman Sachs, RBS Citizens, Thomson Reuters, Aetna, and many others) offers specific recommendations on control types to add to existing vendor governance programs to address third-party application security.
Designed for all enterprises (in addition to financial services organizations) that rely on third-party software such as commercial and outsourced applications, third-party libraries and frameworks, and open source code, this paper recommends and explains three control types:
- vBSIMM Process Maturity Assessment for software development
- Binary static analysis for determining software vulnerability density for third party-sourced software
- Policy management and enforcement for consumption of open source libraries and components
“By aligning on these control types as an industry, financial institutions can improve the adoption rate for vendors, and ultimately can promote software security from an outlier request to a standardized norm.”
– From FS-ISAC “Appropriate Software Security Control Types for Third-Party Service and Product Providers”