Software Integrity Blog


FS-ISAC recommended controls for addressing third-party software security

3rd Party Security Whitepaper
All businesses depend on software; some software is developed internally while the rest comes from third-party software service providers and commercial off-the-shelf software (COTS) vendors. While organizations can hope the software from third parties is built securely, hope isn’t a viable security strategy—which means firms need to develop an effective 3rd party security strategy to reduce the risk of exposure of customer and company information.

Despite the fact the rising costs associated with data breaches, only 20% of organizations evaluate the security of third parties with which they share data or network access more than once a year, according to PWC. The trend of ignoring the risk posed by third parties cannot continue. This risk is what compelled the FS-ISAC Product & Services Committee to form the Third Party Software Security Working Group, with the goal of determining what additional software security control types would be appropriate to add to vendor governance programs. The Third Party Software Security Working Group’s mandate is to analyze control options and develop specific recommendations on control types for member firms to consider adding to their vendor governance programs. The Third Party Software Security Working Group is comprised of individuals from 11 leading organizations including JP Morgan Chase, Aetna, RBS Citizens Bank, and Morgan Stanley. Their recently published white paper, “Appropriate Software Security Control Types for Third Party Service and Product Providers,” provides actionable recommendations any organization can implement. Some of the group’s recommendations include:

  • Utilizing a vBSIMM to assess the software development process maturity within a software supplier
  • Conducting Binary Static Analysis to determine the software vulnerability density for third-party-sourced software
  • Implementing policy management for enforcement and consumption of open source libraries and components

Download the full whitepaper to learn how the software security leaders from the largest financial services firms are addressing third-party application security.


More by this author