Many people do not realize the many security risks that are inherent in the vendor software supply chain. And those risk are quite vast indeed! Companies often have valuable information on their financials and their customers stolen in this way.
Many companies, unfortunately, ignore the risks and make purchases from insecure software vendors anyway. They have various reasons for this–their IT departments may not have the time, the money or the manpower to devote to testing those from whom they buy their software. It may be because only a small portion of all the vendor software that is currently being used are covered by traditional methods of assessment. Companies rarely try to put pressure on vendors to comply with their security standards. The vendors themselves may be reluctant to share information regarding their software as it is their intellectual property. It is quite urgent that anyone who works in the vendor software field be made aware of them so as to be better able to manage them. That is what this article will be about.
VeraCode, provider of the world’s foremost Application Risk Management Platform, has created a set of programs collectively referred to as VAST (Vendor Application Security Testing) to help enterprises to understand—and thus reduce—the risks that are associated with using vendor-supplied software. These programs work by analyzing each application’s security position within the software supply chain of the organization. In doing so VeraCode is always sure to protect the vendor’s intellectual property rights. The level of customer support that they offer that enables them to partner with vendors rather than “punishing” them is unmatched. Theirs is in fact the only “completely managed” program available anywhere that is designed for vendor security risk management.
There are two distinct types of VAST programs for enterprise customers and for vendors. For enterprises VeraCode has designed programs that make sure the software complies with as many applications as it needs to. They also have a cloud-based platform that rigorously analyzes software according to criteria defined by the users themselves–and they make an independent confirmation that the software satisfies the security demands of the customer.
VAST’s methodology for enterprises is threefold. The steps it uses are:
- define–Formulate the test criteria and put together an application list with contact information.
- test–Conduct an analysis on all applications and submit a summary report to the client enterprise.
- comply–Test and retest in accordance with enterprise policy, let them know when the software is compliant therewith and perform sales and market promotion.
Vendors themselves can benefit by participating in VeraCode’s programs. For them, VAST has solutions for managing security risk and at the same time maintaining the integrity of their intellectual property. The vendor will have full access to a cloud-based testing platform that is easy to use and tests binaries instead of the source code. By taking part in a VAST program vendors can also see an increase in customer loyalty.
Both enterprise customers and vendors also receive such benefits as improved software risk management and compliance that exceeds company policy. Future threats can be eliminated as more secure coding practices are adopted.
2) Products offered by VeraCode
VeraCode offers seven different products—Static, Dynamic, eLearning, Analytics, Policy Manager, APIs, and Mobile. No special hardware need be bought and no special software need be installed for these products to work. Dyanmic MP protects the website itself as this is a company’s “most vulnerable business asset.” It does so by correcting SQL and XSS (cross-scripting) errors. Static scans programs in a “non-run” environment.
There is really no company that can produce both the awareness of the risks involved in buying vendor software and the protection against those risks that VeraCode can. So if you are an enterprise owner or a software vendor and you really want to enjoy benefits such as those listed above then look no further than VeraCode. What is more, the engineers who work for the company are constantly studying the results of thousands of previous scans so they can improve their products to match the evolution of new threats as well as that of technology.
Katelyn Roberts is a frequent contributor for NetQin, helping couple explore vacations to keep them healthy and safe.