A group of 10 financial firms released a set of guidelines advising companies on the best ways to evaluate the cyber-threats posed by their third-party suppliers, according to eWEEK.
Security experts from Aetna, Capital One, Citibank, Morgan Stanley and Thomson Reuters joined the Third-Party Software Security Working Group to help companies evaluate and improve the security of their partners and software providers.
The group’s guidelines advise companies to evaluate â€œthe maturity of their suppliers’ softwareâ€ to suit the ever-evolving threat landscape, using a process known as the Build Security in Maturity Model, or BSIMM.
“The controls that have been well established to evaluate third parties do not really reflect the change in the attack surface and are not comprehensive enough to have kept up with advances in security practices,” Chief Information Security Officer for Aetna, told eWEEK.
Third-party vendors should also assess their software for vulnerability flaws using binary static analysis, which allows them to double-check if the security issue has been solved before sharing the results with the client.
Development teams should implement a third control to evaluate open-source software libraries and frameworks, the group advised.
However, adopting these practices will not be easy.
“I don’t have any illusions: The financial industry has attempted consistent application controls in third-party governance in many different ways,” Routh adds. “This is a way of putting a stake in the ground and say, ‘These are the best practices today, and you should apply these going forward.â€
The group is part of the Financial Services Information Sharing and Analysis Center (FS-ISAC) created in 1999 to disseminate cyber-threat information across the US financial services industry.