To ensure security is part of software procurement, the place to start is a review of the due diligence process for procurement.
Within security, we lament an inability to be more involved in the software and systems development lifecycle, but with third parties playing a significant role in what is often a complicated supply chain, a lot can be achieved in reviewing the quality of due diligence that is applied.
If we are talking about a large organisation, there is an opportunity for security to knock on the door or the procurement department. If procurement is not interested or does not exist as a functional area, make the case to senior management about why reviewing the criteria for third party providers in software is in order. It is clear that for software development this must go beyond the typical questions around financial stability and service levels.
Security testing is one of many aspects to be addressed. We, as security professionals, have the ability to review and understand providers’ overall software development process, their approach to security, testing and of course requirements analysis in the design.
We can specify expectations in these areas or pose questions that are often missed, around their use of code libraries, other third parties, or their appreciation of misuse as well as use cases, professional credentials for security in software, and the like.
More on procurement
A lot can be determined by testing if they even understand the concept of some of the basics: do they know what a buffer overflow is, for example. The use of high-level languages in programming today is reducing these basics to obscurity, allowing long-ago discovered vulnerabilities to persist.
When procuring off-the shelf packages, where your ability to apply due diligence is more limited, research can still be done. Take a look at customer forums and comment, or ask for and speak to references, so you can learn about and assess the complications they may have faced post implementation.
Inserting robust security inquiries into the due diligence process does not mean that we need to instill strict criteria in every case.
In security we must understand that commercial imperatives may outweigh our own. But until we take the steps to become better informed about the risks that are being taken, no one can be in a position to make this assessment.
John Colley is European director for (ISC)2
This was first published in November 2013