June 15, 2020
Vendor Risk Management: The Rise Of The Marketplace App
I had a great conversation with a CISO of a small tech company that brought up a growing issue in vendor risk management that does not get a lot of mindshare. But the issue is there and it’s potentially an explosive landmine as far as security risks are concerned. Let’s call the issue: The Rise Of The Marketplace App.
We’re still in the early stages of companies trying to establish vendor risk programs, wrap their heads around what vendor they should assess and how often. A common refrain in vendor risk is that the number of vendors used by companies “have gone up exponentially” or a similar platitude, usually as a preface to “this is why you should buy our software or service.”
And no doubt there is a truth to this – nobody would deny companies are using more and more vendors. And they need to be thoughtful about their security assessments of these vendors. But for a huge number of companies, marketplace apps that exist on Salesforce AppExchange, Atlassian Marketplace, AWS Marketplace and others have widely circumvented their normal procurement and security assessment process. What’s more, these apps often have high level admin access to customer data, extensive PII, financial information and more.
How are marketplace apps able to circumvent the normal purchasing process that should exist within an organization?
1. Their buyers want something quick and don’t respect their company’s purchasing process. Or there is not a good purchasing process in place.
2. The vendor’s product does not have a high ticket price and/or high user count and is thus deemed to not have the level of importance needed for a review.
3. The vendor’s product is extremely silo’d within an organization – its solution does not interact with many people or departments and ‘flies under the radar’.
Keep in mind that there is a broad landscape of companies that deal with these issues in various ways. The larger the company and the more restrictive they will be about different types of 3rd party apps. But this is where the issue of 4th party risk rears its ugly head. Smaller tech vendors are going to be more than likely and willing to utilize new and unproven (from a security perspective) apps and services. If a large company shares data with a tech vendor who then gives admin access to this 3rd party app, you now have a very relevant 4th party problem.
The companies that own and operate these Marketplaces and App Stores are increasingly taking the reviews into their own hands. But if you think there’s a natural push and pull between the business and security in your own organization, imagine what exists in these larger companies.
So where does this lead the Information Security Professional as they are trying to navigate the need for the business to have access to the latest apps, quickly and easily but also trying to reduce the risk?
1. Make sure the business knows that you are trying to work with them to procure their latest app install, but at the same time, you want to make sure it won’t sink the company.
2. Be wary of apps that have admin access but won’t submit to a security review. The answers on a security review don’t need to break records for completeness but being able to answer one in the first place signifies an understanding and focus on serious security issues.
3. Make the case to your business user to pay more for a company with a more established security posture.
4. If there are no good alternatives, consider paying the app maker to undertake a security review. If your business user intends to spend $100 per year on an app, it usually doesn’t make financial sense for the vendor to spend the time and effort on responding to a security review. Incent the vendor with an added ‘Service’ fee if the app is truly that valuable to the user and there are no better alternatives.
5. While you’re at it, expose the virtues of the SIG to the vendor!