Software Integrity Blog


FS-ISAC recommended controls for addressing third-party software security

The FS-ISAC released a white paper outlining how security leaders from financial services companies are addressing security in third-party software.

All businesses depend on software. Some software is developed internally while the rest comes from third-party software service providers and commercial off-the-shelf software (COTS) vendors. While organizations can hope the software from third parties is built securely, hope isn’t a viable security strategy—which means firms need to develop an effective third-party security strategy to reduce the risk of exposure of customer and company information.

Despite the fact the rising costs associated with data breaches, only 20% of organizations evaluate the security of third parties with which they share data or network access more than once a year, according to PWC. The trend of ignoring the risk posed by third parties cannot continue.

This risk is what compelled the FS-ISAC Product & Services Committee to form the Third Party Software Security Working Group, with the goal of determining what additional software security control types would be appropriate to add to vendor governance programs. The Third Party Software Security Working Group’s mandate is to analyze control options and develop specific recommendations on control types for member firms to consider adding to their vendor governance programs.

The Third Party Software Security Working Group comprises individuals from 11 leading organizations including JP Morgan Chase, Aetna, RBS Citizens Bank, and Morgan Stanley. Their recently published white paper, Appropriate Software Security Control Types for Third Party Service and Product Providers, provides actionable recommendations any organization can implement.

Some of the group’s recommendations include:

  • Using the BSIMMsc to assess the software development process maturity of a software supplier
  • Conducting binary code analysis to determine the software vulnerability density for third-party-sourced software
  • Implementing policy management for enforcement and consumption of open source libraries and components

Download the full white paper to learn how the software security leaders from the largest financial services firms are addressing third-party application security.

Get the white paper now


More by this author