Trust but Verify: Strategies for managing software supplier risk
-
Upload
tim-jarrett -
Category
Business
-
view
267 -
download
0
Transcript of Trust but Verify: Strategies for managing software supplier risk
![Page 1: Trust but Verify: Strategies for managing software supplier risk](https://reader035.fdocuments.in/reader035/viewer/2022062522/588601ba1a28ab0a3f8b5a61/html5/thumbnails/1.jpg)
Trust but Verify:Strategies for Managing Software Supplier Risk
Tim Jarrett (@tojarrett)
![Page 2: Trust but Verify: Strategies for managing software supplier risk](https://reader035.fdocuments.in/reader035/viewer/2022062522/588601ba1a28ab0a3f8b5a61/html5/thumbnails/2.jpg)
2
Applications are the engine for innovation
• Leading enterprises in all industries are delivering new mobile experiences, leveraging the Cloud and Big Data analytics, and digitizing their processes.
• Every enterprise is a technology company. Software will be the great enabler for financial gains and brand growth. - Forrester
![Page 3: Trust but Verify: Strategies for managing software supplier risk](https://reader035.fdocuments.in/reader035/viewer/2022062522/588601ba1a28ab0a3f8b5a61/html5/thumbnails/3.jpg)
3
Applications are the engine for innovation and the primary target for cyber-attacks
Application Layer
More than 50% of all attacks now target the application layer*— yet fewer than 10% of enterprises test all of their business-critical applications**.
Network Web/App Server
Database Operating System
** SANS* Verizon DBIR
![Page 4: Trust but Verify: Strategies for managing software supplier risk](https://reader035.fdocuments.in/reader035/viewer/2022062522/588601ba1a28ab0a3f8b5a61/html5/thumbnails/4.jpg)
4
To Speed Innovation, Enterprises are Increasing their Reliance on Third-Party Software
38%
34%
27%
Internally developed
Sourced from commercial software vendor
Outsourced (developed by third party)
SOURCE: IDG Study, “Majority of Internally Developed Apps not Assessed for Critical Security Vulnerabilities” June 2014
![Page 5: Trust but Verify: Strategies for managing software supplier risk](https://reader035.fdocuments.in/reader035/viewer/2022062522/588601ba1a28ab0a3f8b5a61/html5/thumbnails/5.jpg)
5
Risk from Third-Party Software is Growing, Unmitigated
• Over 90% of the third-party software tested by Boeing had significant, compromising flaws -John Martin, Boeing
90%
![Page 6: Trust but Verify: Strategies for managing software supplier risk](https://reader035.fdocuments.in/reader035/viewer/2022062522/588601ba1a28ab0a3f8b5a61/html5/thumbnails/6.jpg)
6
TRANSFORMING the SOFTWARESUPPLY CHAIN
![Page 7: Trust but Verify: Strategies for managing software supplier risk](https://reader035.fdocuments.in/reader035/viewer/2022062522/588601ba1a28ab0a3f8b5a61/html5/thumbnails/7.jpg)
7
![Page 8: Trust but Verify: Strategies for managing software supplier risk](https://reader035.fdocuments.in/reader035/viewer/2022062522/588601ba1a28ab0a3f8b5a61/html5/thumbnails/8.jpg)
8
![Page 9: Trust but Verify: Strategies for managing software supplier risk](https://reader035.fdocuments.in/reader035/viewer/2022062522/588601ba1a28ab0a3f8b5a61/html5/thumbnails/9.jpg)
9
The 7 Habits of Highly Successful Supply Chain Transformations
1. Choose the right suppliers
2. Put your efforts where they will do the most good
3. Collaborate to innovate
4. Use compliance and consequences
5. Drive compliance with “WIIFM”
6. Align benefits for enterprise & supplier – or pay
7. Use suppliers as force multipliers
![Page 10: Trust but Verify: Strategies for managing software supplier risk](https://reader035.fdocuments.in/reader035/viewer/2022062522/588601ba1a28ab0a3f8b5a61/html5/thumbnails/10.jpg)
10
MANAGING the SOFTWARESUPPLY CHAIN
![Page 11: Trust but Verify: Strategies for managing software supplier risk](https://reader035.fdocuments.in/reader035/viewer/2022062522/588601ba1a28ab0a3f8b5a61/html5/thumbnails/11.jpg)
11
Regulatory Agencies are Paying Attention to this Increased Risk
![Page 12: Trust but Verify: Strategies for managing software supplier risk](https://reader035.fdocuments.in/reader035/viewer/2022062522/588601ba1a28ab0a3f8b5a61/html5/thumbnails/12.jpg)
12
FS-ISAC guidance for third-party software securityThe Third Party Software Security Working Group was established with a mandate to analyze control options and develop specific recommendations on control types for member firms to consider adding to their vendor governance programs.
Third Party Software Security Working Group included leaders from Morgan Stanley; Thomson Reuters; DTCC; Citi; Capital One; Goldman Sachs; RBS Citizen’s Bank; JP Morgan Chase; GE; Aetna; and Fidelity.
Control 1: ProcessMaturity Assessment
Control 2: Binary Static Analysis
Control 3: Software Composition Analysis
![Page 13: Trust but Verify: Strategies for managing software supplier risk](https://reader035.fdocuments.in/reader035/viewer/2022062522/588601ba1a28ab0a3f8b5a61/html5/thumbnails/13.jpg)
13
Scaling a vendor application security testing (VAST) program
![Page 14: Trust but Verify: Strategies for managing software supplier risk](https://reader035.fdocuments.in/reader035/viewer/2022062522/588601ba1a28ab0a3f8b5a61/html5/thumbnails/14.jpg)
14
Ingredients for testing success• Vendor IP protection
• Vendor “assess once and share”
• Vendor remediation coaching
• Clearly defined and communicated policy
• Exception handling process
• Risk Stratified Assessment Strategy
• Central reporting with visibility for the rest of the business
![Page 15: Trust but Verify: Strategies for managing software supplier risk](https://reader035.fdocuments.in/reader035/viewer/2022062522/588601ba1a28ab0a3f8b5a61/html5/thumbnails/15.jpg)
15
Pillars of Program Success
Strength of Internal Enterprise Programs
Is the internal
development AppSec Program Mature?
DefineHave the required
documents been
completed?
InventoryWhat is the
quality of the vendor
application data?
Education and
Awareness
Are Vendor Managers aware and
advocates of the VAST program?
Level of Investme
ntIs scanning for the first
year covered by the
Enterprise?
SCORE
GAP
Strength of
MandateIs the Vendor Requirement Contractually
Obligated?
![Page 16: Trust but Verify: Strategies for managing software supplier risk](https://reader035.fdocuments.in/reader035/viewer/2022062522/588601ba1a28ab0a3f8b5a61/html5/thumbnails/16.jpg)
16
THANK YOU