Post on 23-Jan-2017
Trust but Verify:Strategies for Managing Software Supplier Risk
Tim Jarrett (@tojarrett)
2
Applications are the engine for innovation
• Leading enterprises in all industries are delivering new mobile experiences, leveraging the Cloud and Big Data analytics, and digitizing their processes.
• Every enterprise is a technology company. Software will be the great enabler for financial gains and brand growth. - Forrester
3
Applications are the engine for innovation and the primary target for cyber-attacks
Application Layer
More than 50% of all attacks now target the application layer*— yet fewer than 10% of enterprises test all of their business-critical applications**.
Network Web/App Server
Database Operating System
** SANS* Verizon DBIR
4
To Speed Innovation, Enterprises are Increasing their Reliance on Third-Party Software
38%
34%
27%
Internally developed
Sourced from commercial software vendor
Outsourced (developed by third party)
SOURCE: IDG Study, “Majority of Internally Developed Apps not Assessed for Critical Security Vulnerabilities” June 2014
5
Risk from Third-Party Software is Growing, Unmitigated
• Over 90% of the third-party software tested by Boeing had significant, compromising flaws -John Martin, Boeing
90%
6
TRANSFORMING the SOFTWARESUPPLY CHAIN
7
8
9
The 7 Habits of Highly Successful Supply Chain Transformations
1. Choose the right suppliers
2. Put your efforts where they will do the most good
3. Collaborate to innovate
4. Use compliance and consequences
5. Drive compliance with “WIIFM”
6. Align benefits for enterprise & supplier – or pay
7. Use suppliers as force multipliers
10
MANAGING the SOFTWARESUPPLY CHAIN
11
Regulatory Agencies are Paying Attention to this Increased Risk
12
FS-ISAC guidance for third-party software securityThe Third Party Software Security Working Group was established with a mandate to analyze control options and develop specific recommendations on control types for member firms to consider adding to their vendor governance programs.
Third Party Software Security Working Group included leaders from Morgan Stanley; Thomson Reuters; DTCC; Citi; Capital One; Goldman Sachs; RBS Citizen’s Bank; JP Morgan Chase; GE; Aetna; and Fidelity.
Control 1: ProcessMaturity Assessment
Control 2: Binary Static Analysis
Control 3: Software Composition Analysis
13
Scaling a vendor application security testing (VAST) program
14
Ingredients for testing success• Vendor IP protection
• Vendor “assess once and share”
• Vendor remediation coaching
• Clearly defined and communicated policy
• Exception handling process
• Risk Stratified Assessment Strategy
• Central reporting with visibility for the rest of the business
15
Pillars of Program Success
Strength of Internal Enterprise Programs
Is the internal
development AppSec Program Mature?
DefineHave the required
documents been
completed?
InventoryWhat is the
quality of the vendor
application data?
Education and
Awareness
Are Vendor Managers aware and
advocates of the VAST program?
Level of Investme
ntIs scanning for the first
year covered by the
Enterprise?
SCORE
GAP
Strength of
MandateIs the Vendor Requirement Contractually
Obligated?
16
THANK YOU