Assessing Vendor Application Security A Practical Way to Begin

Many companies are adopting a preference toward buying vendor software versus building software in-house to meet business needs. Some of the drivers for this preference are integration, scalability, outsourcing, support, speed-to market, process savings, and reducing the cost of information technology (IT). In adopting a preference for purchased software, it becomes critical that companies have an assessment methodology for determining how well each proposed vendor package will meet established business and technical requirements. Therefore, the purpose of this paper is to establish a guide for targeting areas of potential concern to the business regarding the security of vendor developed applications that will be deployed in an enterprise environment. This paper is not intended to be a complete guide to assessing vendor applications, but will give the reader a roadmap for gathering relevant information about the proposed application, formulating directed questions to ask the vendor, determining where potential pitfalls may exist, and giving management feedback on security concerns that may influence the final purchasing decision.