Third Party SDLC Audit

If you are using an outsourced software development shop or Common Off The Shelf (COTS) software, then you may have considered the security risks that it may pose to your organization and your data. Security Compass' experience consultants can audit any organization's SDLC for security controls.

Overview

Audit the policies and procedures of a third party development group to identify gaps and shortcomings in security
Comparison against security standards such as Open SAMM
List of shortcomings and remediation steps provided, prioritized by risk

Key Business Benefits

Decreased overall cost by preventing larger number of vulnerabilities earlier in the development life-cycle
Awareness of the risk posed by third party developed components
Identification of vendor security posture to be used during vendor selection (software or development projects)

Our Approach

Security Compass' approach to SDLC security audit involve the use of a proprietary audit framework based on SAMM and enhanced by our experience in the field.

We use a number of self-guided questionnaires and interviews with key personnel to identify the security strengths and weaknesses in the following controls:

Application security program
Compliance integration
Education, awareness
Threat management
Requirements
Design
Development
Testing
Deployment and maintenance

Security Compass auditor skillset

Controls audit experience
Software development experience
Domain understanding of application security
Up-to-date with advances in software development (tools, programming languages, testing techniques, design/modeling techniques)

Deliverables

The output of a third party SDLC audit is a detailed analysis of the security strengths and weaknesses in the organization's processes, policies, and procedures. A detailed remediation roadmap, which outlines a path to increased security posture, is also presented.