Setting Boundaries: How Procurement Relates to Security (Part 1)
Companies are made up of what they build, borrow, and buy. On the software development front, Sonatype’s tools help with two major issues: what you build (software) and borrow (open source code). But what about the things you buy? It’s part of a wide umbrella in organizations known as “procurement,” an area with an all-too-common lack of understanding and oversight.
A multi-part interview with Sonatype VP of Security Mike Griffin about this issue, starting with an introduction to the topic.
How are security and procurement connected?
Mike: First, think about partners or vendors and a technology or service. It’s not much different than bringing on an employee or contractor. We’ve got to do background checks to help make sure they don’t have a shady history. After all, you’re not going to bring on a new CFO or someone in finance who has a history of fraud. Similarly, we want to avoid vendors who have poor security hygiene.
You want to make sure that the partners that you bring are healthy and have a track record of delivering on their promises.
Second, is what you’re purchasing either a highly integrated technology or a service that hands over sensitive information? If so, it’s important that the partner and solution together have been reviewed to make sure that we are going to get the quality we expect. That they’re doing the right things with our data.
Just like a new hire, you’re looking at abilities, experience, and knowledge. After all, if we hand them crucial customer data, we want to be sure that they’re going to protect it equal to or better than we can.
Third, we also want to think about culture. Think about bringing on an employee that doesn’t fit with our culture and doesn’t fit with our values. The (Read more...)
*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Michael Griffin. Read the original post at: https://blog.sonatype.com/how-procurement-relates-to-security-part-1
