Software security is not easy to apply across large and complex enterprises that develop custom software but significant strides have been made by 67 firms that actually measure the maturity of the controls in the software developed process. The body of information available as a result is in the Build Security In Maturity Model (BSIMM) which is also the source for one of the additive controls recommended for third parties by the working group. The working group members believe that applying software security practices is the responsibility of whomever is leading the software product development process whether that is for an internal development project or one supported by a third party. Therefore, the first control type recommended by the working group focused on the maturity of the practices for the third party.
The second control type identifies security vulnerabilities for a specific version of software at a specific time, using binary static scanning, a service offered by select number of vendors. The advantage of this control type is that it identifies security vulnerabilities and shares them with the third party vendor firm who can remediate the flaws and perform another scan to confirm the fix before sharing the results with the financial institution or client firm. The financial institution never requires access to either the source code or the binaries for the security validation, but still receives a summary report of the vulnerabilities detected once it is released by the third party vendor firm. The first control type determines process maturity while the second one determines the risk of specific vulnerabilities detected or a specific version of software produced by the third party.
The third control type provides a software code management process for development teams that use open source code libraries in the development process. It enables firms to choose versions of open source components they wish to promote to their developers based on use and the security risks of each library and ultimately enforce these choices through policy enforcement in the software build process. Several vendors offer this type of capability and a recently introduced vendor offers a full lifecycle management capability for the consumption of open source code libraries.
It is time the rest of the world's largest enterprises follow the lead of the largest financial services organizations and address the security of applications developed by third parties. Each working group delegate organization has adopted these controls within their own security program and seen reduced risk at the application layer. At the FS-ISAC Fall Summit, the working group will release a whitepaper describing the control types and advice for effectively applying these controls based on our own experiences. The guidance offered through the whitepaper will help financial service and other regulated industries apply controls designed specifically to address the risks of building software for the web and mobile channels.
Sign up for CIO Asia eNewsletters.