Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 | Copyright © 2015, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. WORKSHOP Handling Third Party Software Risk.

Published byDerick Merritt Modified over 9 years ago

Similar presentations

Presentation on theme: "1 | Copyright © 2015, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. WORKSHOP Handling Third Party Software Risk."— Presentation transcript:

1 1 | Copyright © 2015, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. WORKSHOP Handling Third Party Software Risk Nick Murison Managing Consultant nmurison@cigital.com Sammy Migues Principal Consultant sammy@cigital.com

2 2 | Copyright © 2015, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.  Which of the following categories for 3rd-party software do you specifically account for in your SSI? a. Bespoke software, COTS, FoSS with no owner: a.All but one firm b. “Salesforce” managed service model: a.7-10 c. “Service as a Service” (e.g., give me PII and I’ll do snail mail, payroll, etc.): a.4 d. “Platform as a Service” (e.g., all your app are belong to us): a.5 e. Pre-configured systems/appliances we build on top of: a.8 f. “Injected code” as a service (analytics, trackers, ads, etc.): a.? Question 1

3 3 | Copyright © 2015, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.  Is “3rd-party” a heavyweight factor in your software risk ranking process? Believe unknown libraries increase risk Probably no increased risk if we have all source code “We see more issues in 3rd-party code than in ours, so yes” “One of 17 q’s in app risk ranking”  Considering just app code, how much is <50% 3rd-party? Range from very small percentage to 75-80% 90% for one outlier Question 2

4 4 | Copyright © 2015, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.  Straw poll: what do you have in your contracts with 3rd-party software vendors? Some people writing SLA language with Legal support Have used SLA language as a lever to drive changes “Have to spend our own money to verify contractor is doing what’s in the contract” −“We make them test it (and pay) and give us the results” Might be a conflict between firm and vendor depending on who pays and who gets the (unfiltered) results Question 3

5 5 | Copyright © 2015, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.  What do you do for open source with no owner? Vendor’s job to fix it and keep it fixed “If you’re the only team using it, then it’s your problem” 7-8 trying/tracking FoSS being used 3-4 hosting open source on an internal repository Question 4

6 6 | Copyright © 2015, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.  What has been effective at addressing 3rd-party risk in your firm? PT vs SLA? −“We use PT to verify adherence to SLA” −“We’re not allowed to test some 3rd-party things; have to make them get a PT and then give us the results” 1 making “vendor assessment” part of security assessment We offer Fortify to vendors and found some critical defect As a vendor, get q’s like “Are you OWASP compliant?” Question 5

7 7 | Copyright © 2015, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted.  What certifications / assurances held by a vendor make you more comfortable? “ISO 27001 is a red flag for us” ISO 27034 might be useful someday Sometimes a PT from a certain vendor is enough Handful deal with PCI Many clients for a service = many PT requests One might ask a vendor to do a BSIMM −“Yes, but I’d want the assessment to be specific to the product I have” “We have a large team that does product certifications” −Common Criteria, FIPS 140-2, EMVCo Question 6

8 8 | Copyright © 2015, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. Nick Murison Managing Consultant nmurison@cigital.com Sammy Migues Principal Consultant sammy@cigital.com

Download ppt "1 | Copyright © 2015, Cigital and/or its affiliates. All rights reserved. | Cigital Confidential Restricted. WORKSHOP Handling Third Party Software Risk."

Similar presentations

Preparing for Year End in Payroll Mindy Harada 1.

Preparing for Year End in Payroll Mindy Harada 1.
Directory and Trust Services (D&TS) Define an Abstract Model Purpose: Document a common terminology that the group can use between the various tracks Identify.

Directory and Trust Services (D&TS) Define an Abstract Model Purpose: Document a common terminology that the group can use between the various tracks Identify.
State of Software Security 1 Jeff Ennis, CEH Solutions Architect Veracode.

State of Software Security 1 Jeff Ennis, CEH Solutions Architect Veracode.
Navigating Compliance Requirements DCM 6.2 Regs and Codes linford & co llp.

Navigating Compliance Requirements DCM 6.2 Regs and Codes linford & co llp.
Reinsurance Team 4: Alayne Becker, Nick Chernick, Yu Fan, Sam Houseworth, Spike Knickel, Justin Newlen, Beth Sanger, Yifan Yang.

Reinsurance Team 4: Alayne Becker, Nick Chernick, Yu Fan, Sam Houseworth, Spike Knickel, Justin Newlen, Beth Sanger, Yifan Yang.
HUD 2530 & APPS Mistakes, Misconceptions & Flags©

HUD 2530 & APPS Mistakes, Misconceptions & Flags©
Third Party Verification Requests The Letter of Comfort

Third Party Verification Requests The Letter of Comfort
Responding to the Demands of Evolving Annuity Suitability Standards Michelle Holmes Director, Minot Compliance ING 2009 ACLI Legal and Compliance Sections.

Responding to the Demands of Evolving Annuity Suitability Standards Michelle Holmes Director, Minot Compliance ING 2009 ACLI Legal and Compliance Sections.
Project Management Methodology Procurement management.

Project Management Methodology Procurement management.
© Chery F. Kendrick & Kendrick Technical Services.

© Chery F. Kendrick & Kendrick Technical Services.
Version 6.0 Approved by HIPAA Implementation Team April 14, 2003 1 HIPAA Learning Module The following is an educational Powerpoint presentation on the.

Version 6.0 Approved by HIPAA Implementation Team April 14, HIPAA Learning Module The following is an educational Powerpoint presentation on the.
IT Outsourcing Management

IT Outsourcing Management
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 2.1.

Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 2.1.
Audit Planning and Documentation

Audit Planning and Documentation
ISO 10001,2,3 family standards in quality management

ISO 10001,2,3 family standards in quality management
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 2.1.

Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall 2.1.
© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved. © 2012 McGladrey LLP. All Rights Reserved. © 2013 McGladrey LLP. All.

© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved. © 2012 McGladrey LLP. All Rights Reserved. © 2013 McGladrey LLP. All.
PETER SCOTT CONSULTING Business Management Systemize your compliance with Rule 5 Peter Scott Peter Scott Consulting www.peterscottconsult.co.uk.

PETER SCOTT CONSULTING Business Management Systemize your compliance with Rule 5 Peter Scott Peter Scott Consulting
Saks Gloweli Capital Saks Gloweli Capital is the Banking and Finance division of Saks Gloweli Consulting. It offers clients a range of financial advisory.

Saks Gloweli Capital Saks Gloweli Capital is the Banking and Finance division of Saks Gloweli Consulting. It offers clients a range of financial advisory.
C97-728752-01 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 1 C97-728752-01 © 2013 Cisco and/or its affiliates. All rights.

C © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 1 C © 2013 Cisco and/or its affiliates. All rights.

Similar presentations

Ads by Google