Conventional third party controls are no longer sufficient to cover the ever-expanding attack surface presented by web and mobile applications developed by service vendors and/or commercial software providers. The current third party controls established in the past 10-15 years were adopted by financial service firms and incorporated into their respective third party governance programs.
However, the threat landscape is fundamentally different with the proliferation of mobile, web and cloud based applications supported by third parties. The need for third party software security is so essential that a group of security leaders from the highly competitive financial services sector established a working group through the Financial Services Information Sharing and Analysis Center (FS-ISAC) to provide guidance for the rest of the industry on additive controls to address software security. Though the goal of this working group is to help improve security at financial organizations, enterprises of all kinds can and should adopt this new guidance to address the increasing danger posed by third party applications.
Every industry uses third party software to increase employee productivity, deliver the latest technology to their customers and maintain relevancy in evolving markets. In the financial services industry, this has manifested with mobile payments, hip web interfaces, and banks going social, just to name a few. Financial services has long worked to apply effective controls and protect the sensitive data flowing through these slick applications through the Financial Services Roundtable (BITS) or FS-ISAC. Though there are established controls for protecting information from software vulnerabilities of third party service and software providers, what is not established is how to ensure secure software development practices are applied by those third parties that develop software used by banks, mortgage lenders, and insurance companies.
Spearheading the need to address this risk, a group of ten leading financial service firms came together to identify and recommend control types for securing third party software development.
The working group set out to improve information protection for third party software used to process sensitive data, whether the software was developed by third parties using their own methodologies or using commercial products developed for the marketplace. The control types developed are designed to be incorporated with existing vendor governance practices and work in concert with established third party governance controls.
These controls enable enterprises -- regardless of industry -- to assess the maturity of software providers' secure development lifecycle, ensure a process exists to identify and remediate vulnerabilities of significance, and manage risk associated with consumption of open source code in the development process. There are three control types, two of which apply directly to third party firms that develop software and one that addresses supply chain risk for internal development.
Sign up for CIO Asia eNewsletters.