Security Think Tank: How to ensure vendors act efficiently

Opinion

Security Think Tank: How to ensure vendors act efficiently

No business can survive without business applications. That is a fact of life these days. Similarly, most business applications are not developed inhouse but rather procured from third-party application vendors. These applications run in various modes of operations: thick PC, client-server, internal web or external web-based cloud application.

As part of a due diligence process, any application procured should fit to overall enterprise application architecture, and pass a security and business continuity test. 

40199_Security-think-tank.jpg

However, here lies the problem. Many organisations do not have an enterprise architecture function established, have not done business continuity testing, and certainly do not involve their security team in testing new external applications. The poor IT security manager learns about a new application from an internal communication related to the application’s launch date.

What can security managers do? There are few steps that can be taken for improving the chances of an application being tested before its launch date.

First, update procurement policies and process to include security team involvement. Most procurement teams are remunerated based on the discount they negotiate. A security manager could argue that the company should get a discount based on the number of security issues discovered in the application software. That way, procurement is more likely to involve the security team; indeed no security is without faults, so some discount is going to be found.

Second, partner with an application testing company that is set up to test applications written in different programming languages, in-house, cloud, etc. If the vendor has already tested their application, perhaps the testing partner can work with them to normalise the test results. The outcome from this step is a score that is passed to procurement.

Finally, update security policy so applications with a score outside desired value is not allowed on the enterprise network. The link to information classification, or system criticality would be desirable.

Vladimir Jirasek is managing director at Jirasek Consulting Services

Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

This was first published in November 2013

 

COMMENTS powered by Disqus  //  Commenting policy