It is a truism that most organisations will not have the ability to test all the software they buy. In many cases, they will have to rely on the supplier’s assurances that the software has been tested and passed those tests.
The Information Security Forum (ISF) recognises that it may be impossible to test all software, business or otherwise.
Instead, a risk-based approach is recommended. This will allow organisations to focus their efforts on the software – and the business functions it supports – to both make best use of the limited resources they may have and to ensure the tests chosen highlight shortcomings when the software is in use.
This is best achieved by understanding the information that is going to be created, processed and stored in the software, and by also conducting a risk assessment to examine the business impact, threat and vulnerabilities of the software and the environments in which it will be used.
More on from Computer Weekly's Security Think Tank on security procurement
Knowing the information used in the software and the results of the risk assessment, the decision whether to test can be made and the most suitable tests selected.
To build security testing into the procurement process, the ISF advises that any organisation should adopt an information-centric, risk-based approach – such as that described in the ISF Supply Chain Information Risk Assurance Process.
The requirement for security testing can be integrated into the RFI/RFP/RFT process, so an acquirer can communicate its requirements for supplier testing – and results to be shared – throughout the procurement process.
Additionally, the acquirer can state the tests it will perform throughout the RFI/RFP/RFT process and how those results will be used in the procurement decision. If necessary, and guided by the risk assessment, the acquirer may undertake a testing programme at the due diligence stage of the procurement cycle before committing to buy.
Adrian Davis is principal research analyst at the Information Security Forum (ISF).