Vendor assessment and application security is a vital for business relationships today
BYST Security has performed several vendor assessments and application reviews for clients across the US and internationally. Vendor assessment and application security is a vital for business relationships today. In business today, companies connect and use several vendor applications to support or run their business. However, this comes at a risk, many systems have been breached via vendor systems integrating to companies. It’s inevitable to avoid integration in systems, but before you allow the next connection to your information, contact us to make thorough 360 security review of your vendor/ application to avoid the risk of reputation, legal and financial ramifications.
We dig into the background of the vendor to determine if they are reputable, perform a detailed application review of their platform/application this could include Performing Pen Tests, Vulnerability scans and code reviews. BYST Security will then provide you a detailed report based on our findings/review and consequently create a remediation plan to fix/remediate identified vulnerabilities.
Here is a snippet of some of the security parameters we check up on a vendor.
Background Information of the company
• We get a description of services being provided by vendor
• Determine who hosts services/application
• Determine if the vendor stores, transmits or stores data and check if the vendor will have connection to tenant system
• Review the security program and check if third parties are used to support system
Data practices
• Determine if the Vendor engages in Data mining practices
• what happens to data after contract termination, does vendor retain data?
Specific security controls
• We check so see how they protect their system/application e.g., Firewalls, web app firewalls, host IP/IDS, logging, authentication and how is data restricted from unauthorized access
Breach notification
• If there is a suspected breach of data security at the service provider level, what SLA will be provided for notification?
Right to Audit
• As a client, do you have a right to audit their system incase need requires?
Security Testing results
• Have they performed a Penetration test and vulnerability scans on the application and if so, who performed it and what where the results of the test?
• Also, we can perform a Pen Test and Vuln Scan on your behalf based on the agreement you have with us, and we can determine if the system is secure
Secure code and development review
• What security testing is in place during the application development process?
• Is a documented secure code review performed by a qualified and properly trained code reviewer?
Architecture design
• Integration, (Does the platform have any built-in integration tools that allow the client to create their own interface profiles?)
• What integration protocols does the platform support; this is for purposes of getting a system that can connect to customer systems
Identity management
• Does the platform support IDM, SSO (Single-Signon), and/or Federation for user authentication OR does the platform only support native authentication?
What platform is it running as (SaaS)
• Does the platform use any Third-party technologies that are NOT native to the platform?
• Is the platform hosted at the company owned facility or via a co-location or cloud provider?
