free counter

Security Think Tank: Good procurement practices pave the best way to app security

Application security is really as much a question of good procurement practice since it is good development practice, says Petra Wenham of the BCS

Petra Wenham


Published: 05 Sep 2022

Making and keeping a companys IT infrastructure safe and sound from unauthorised intrusions or malicious actions is definitely challenging. With the increased usage of cloud computing, in conjunction with a have to keep developing new functions at an ever-increasing pace by using agile technologies, maintaining good security is becoming a lot more complex.

In buying software and software services from third parties, what the customer needs is really a checklist of key requirements developed from a knowledge of the business enterprise, technical and operational needs which will drive research of potential services and products.

Once a summary of potential suppliers and products/services has been developed, a obtain information (RFI) or equivalent could be issued and in line with the key identified company requirements.

The answers compared to that RFI can help refine the set of suppliers and services or products down to several suitable candidates, in order that a obtain quotation predicated on a detailed group of requirements could be issued.

The endgame is contract letting to the selected supplier where in fact the contract itself articulates the companys requirements at length. Those requirements may likely be addressees as annexes to the primary contract, thus enabling future changes with no need to renegotiate the primary contract. This technique may seem long-winded and unwieldly, but ultimately you’re targeting security and you also may be betting your companys future in the event that you dont cover all of the bases.

The broad principles outlined here could be applied inside a large organisation where there’s an interior development group or groups. Essentially, it will be a contract between your business area and the development and operational groups.

Back the first to mid-1990s, I was doing internal IT audit in Europe for a significant international bank and I came across that audit had not been earned to a project until it went live or, often, after it went live.

The IT security group was a little two-person group situated in a hq plenty of miles away. I had result from a network also it background and could pull together various security, audit and software practice-related documents to produce a small and concise document for the development groups in Europe.

Initial resistance soon evaporated and audit started being welcomed into software projects through the development cycle, opening the entranceway to early and meaningful feedback.

It had been a win-win outcome, as both development and audit saved time and less resource was wasted. Needless to say, today we’ve DevSecOps, an extension of DevOps, which means that security requirements, as well as regular testing and feedback, is made in to the software development cycle, resulting in less wasted resource.

Although DevSecOps is seen as a significant element in improving the entire security stance of a companys IT infrastructure, it doesnt imply that the basics, such as for example patching and well-thought-out access and authentication mechanisms, could be paid less attention.

Needless to say, not absolutely all companies have their very own in-house development teams, preferring to get off-the-shelf applications or services.

Where services are bought in, the security processes aren’t beneath the direct control of the purchasing company that’s, the purchasing company is reliant on the merchandise or service being secure.

This reliance is primarily based on what the purchasing contract covers, and here the devil is certainly in the detail.

For instance, it might seem that requiring ISO27001 certification and annual testing would cover your preferences, but if you don’t have specified what clauses are needed also to what specification level (scope and statement of applicability), you can’t be assured of the amount of security.

If you are buying software, consider if the contract covers code analysis by security experts, whether your companys security requirements are stated and if they are comprehensive.

In a fast-moving environment, you will require usage of people skilled in defining security requirements where cloud computing and third-party software development is encountered. These folks will require risk and threat analysis skills, including an excellent knowledge of business risks because these articulate what’s key to safeguard in an organization.

Contract annexes will be the best way to take care of these contractual needs because they could be updated as required without needing to undergo a complete contract renegotiation.

Read more on Application security and coding requirements

Read More

Related Articles

Leave a Reply

Your email address will not be published.

Back to top button

Adblock Detected

Please consider supporting us by disabling your ad blocker