Security Think Tank: How to ensure vendors act efficiently

How can security professionals ensure security testing becomes part of the procurement process for all business software?

No business can survive without business applications. That is a fact of life these days. Similarly, most business applications are not developed inhouse but rather procured from third-party application vendors. These applications run in various modes of operations: thick PC, client-server, internal web or external web-based cloud application.

As part of a due diligence process, any application procured should fit to overall enterprise application architecture, and pass a security and business continuity test. 

However, here lies the problem. Many organisations do not have an enterprise architecture function established, have not done business continuity testing, and certainly do not involve their security team in testing new external applications. The poor IT security manager learns about a new application from an internal communication related to the application’s launch date.

What can security managers do? There are few steps that can be taken for improving the chances of an application being tested before its launch date.

First, update procurement policies and process to include security team involvement. Most procurement teams are remunerated based on the discount they negotiate. A security manager could argue that the company should get a discount based on the number of security issues discovered in the application software. That way, procurement is more likely to involve the security team; indeed no security is without faults, so some discount is going to be found.

Second, partner with an application testing company that is set up to test applications written in different programming languages, in-house, cloud, etc. If the vendor has already tested their application, perhaps the testing partner can work with them to normalise the test results. The outcome from this step is a score that is passed to procurement.

Finally, update security policy so applications with a score outside desired value is not allowed on the enterprise network. The link to information classification, or system criticality would be desirable.

Vladimir Jirasek is managing director at Jirasek Consulting Services

Read more on Application security and coding requirements