Trust but Verify:Strategies for Managing Software Supplier Risk

Tim Jarrett (@tojarrett)

2

Applications are the engine for innovation

• Leading enterprises in all industries are delivering new mobile experiences, leveraging the Cloud and Big Data analytics, and digitizing their processes.

• Every enterprise is a technology company. Software will be the great enabler for financial gains and brand growth. - Forrester

3

Applications are the engine for innovation and the primary target for cyber-attacks

Application Layer

More than 50% of all attacks now target the application layer*— yet fewer than 10% of enterprises test all of their business-critical applications**.

Network Web/App Server

Database Operating System

** SANS* Verizon DBIR

4

To Speed Innovation, Enterprises are Increasing their Reliance on Third-Party Software

38%

34%

27%

Internally developed

Sourced from commercial software vendor

Outsourced (developed by third party)

SOURCE: IDG Study, “Majority of Internally Developed Apps not Assessed for Critical Security Vulnerabilities” June 2014

5

Risk from Third-Party Software is Growing, Unmitigated

• Over 90% of the third-party software tested by Boeing had significant, compromising flaws -John Martin, Boeing

90%

6

TRANSFORMING the SOFTWARESUPPLY CHAIN

7

8

9

The 7 Habits of Highly Successful Supply Chain Transformations

1. Choose the right suppliers

2. Put your efforts where they will do the most good

3. Collaborate to innovate

4. Use compliance and consequences

5. Drive compliance with “WIIFM”

6. Align benefits for enterprise & supplier – or pay

7. Use suppliers as force multipliers

10

MANAGING the SOFTWARESUPPLY CHAIN

11

Regulatory Agencies are Paying Attention to this Increased Risk

12

FS-ISAC guidance for third-party software securityThe Third Party Software Security Working Group was established with a mandate to analyze control options and develop specific recommendations on control types for member firms to consider adding to their vendor governance programs.

Third Party Software Security Working Group included leaders from Morgan Stanley; Thomson Reuters; DTCC; Citi; Capital One; Goldman Sachs; RBS Citizen’s Bank; JP Morgan Chase; GE; Aetna; and Fidelity.

Control 1: ProcessMaturity Assessment

Control 2: Binary Static Analysis

Control 3: Software Composition Analysis

13

Scaling a vendor application security testing (VAST) program

14

Ingredients for testing success• Vendor IP protection

• Vendor “assess once and share”

• Vendor remediation coaching

• Clearly defined and communicated policy

• Exception handling process

• Risk Stratified Assessment Strategy

• Central reporting with visibility for the rest of the business

15

Pillars of Program Success

Strength of Internal Enterprise Programs

Is the internal

development AppSec Program Mature?

DefineHave the required

documents been

completed?

InventoryWhat is the

quality of the vendor

application data?

Education and

Awareness

Are Vendor Managers aware and

advocates of the VAST program?

Level of Investme

ntIs scanning for the first

year covered by the

Enterprise?

SCORE

GAP

Strength of

MandateIs the Vendor Requirement Contractually

Obligated?

16

THANK YOU