It is a truism that most organisations will not have the ability to test all the software they buy. In many cases, they will have to rely on the supplier’s assurances that the software has been tested and passed those tests.
The Information Security Forum (ISF) recognises that it may be impossible to test all software, business or otherwise.
Instead, a risk-based approach is recommended.
This will allow organisations to focus their efforts on the software – and the business functions it supports – to both make best use of the limited resources they may have and to ensure the tests chosen highlight shortcomings when the software is in use.
This is best achieved by understanding the information that is going to be created, processed and stored in the software, and by also conducting a risk assessment to examine the business impact, threat and vulnerabilities of the software and the environments in which it will be used.
Knowing the information used in the software and the results of the risk assessment, the decision whether to test can be made and the most suitable tests selected.
To build security testing into the procurement process, the ISF advises that any organisation should adopt an information-centric, risk-based approach – such as that described in the ISF Supply Chain Information Risk Assurance Process.
The requirement for security testing can be integrated into the RFI/RFP/RFT process, so an acquirer can communicate its requirements for supplier testing – and results to be shared – throughout the procurement process.
Additionally, the acquirer can state the tests it will perform throughout the RFI/RFP/RFT process and how those results will be used in the procurement decision.
If necessary, and guided by the risk assessment, the acquirer may undertake a testing programme at the due diligence stage of the procurement cycle before committing to buy.
Adrian Davis is principal research analyst at the Information Security Forum (ISF).
Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners.
If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Related content from ComputerWeekly.com
This was first published in November 2013