This post is part two of two regarding how to evaluate the security risks of third-party solutions that your company is considering purchasing. In part one, we covered gathering of requirements, identifying who will perform the security assessment, who are the players that have third-party solutions and setting the legal agreements in place.
Having discussions with third-parties regarding security of their solutions can generally give you a good idea of how mature the company and the product are. It can also give you an indicator of how easy it will be to work with them in the future after contract has been signed. It is amazing how many companies that are still out there who have not integrated security into their process.
Performing the security assessment
If the assessment is done during the sale cycle, your company has a better chance of negotiating what fixes need and/or can be done. In future posts, we'll delve deeper in how to prioritize and what will be covered during the assessment.
Documentation of findings
Rank/Assign severities according to what's important to your business, which ones must be fixed, which are nice to haves etc.
Decision of which solution to select
Do they meet the business requirements?
How insecure are they? If the third-party needs to completely rearchitect their solution because of inherent security risks, it could be at this point that they are dropped from consideration if you have a tight timeline.
Sharing of findings if a third-party solution is selected
Sharing findings with the companies that were not selected is also an option if your company feels so inclined.
Third-party presents timeline for fixes
Can they fix the critical security issues and stay within schedule and budget? Will they fix them at all?
Contract is negotiated and signed
It is recommended that within the contract there is language that binds the third-party to fixing and maintaining security throughout the term of the contract
During this step, the third-party has indicated that they fixed all of the necessary security issues found and the security consultant who found the issues will then go back and verify that they have fixed them properly. Does the third-party pay for the regression? Have they fixed all key issues that were identified?
Security does not end here, it is ever changing as new code and versions are implemented and new vulnerabilities are discovered.
In conclusion, ensuring the security of your company's data is not something that can be an afterthought. It will add time to your evaluation period but taking a little care in your selection process can save money and downtime in the future.
Microsoft – ACE Team