The development and deployment of software applications is inherently risky; a number of things can go wrong both during development and after launch. Project and product managers must stay aware of risks coming from a variety of areas, including:
Cyber risk (vulnerabilities leading to data breach, theft of intellectual property, malware from third-party code, etc.)
Regulatory and legal risk (GDPR compliance, industry-specific regulatory compliance, license issues for open-source code, etc.)
How can managers mitigate risks affecting their software projects? We’ve compiled some software risk management tips to help you avoid the biggest pitfalls of the development and deployment process.
1. Map the software supply chain.
Software development doesn’t happen in a vacuum. Modern software projects are rarely, if ever, built from scratch, which means each new application contains previously developed code. In fact, a significant 96% of applications scanned in a recent survey contained open-source components. In addition, many software projects are built or tested in the cloud, or using third-party devices.
Every third party whose code, hardware, or environments have a part to play in the development of your software should be considered part of the software supply chain (or digital supply chain). Mapping this supply chain and keeping a running log of each of the components within it can help product and project managers avoid issues.
What kind of issues? Well, third-party code can expose your software to malware, which we’ll cover in a moment.
Beyond that, however, the software supply chain can expose a project to legal and regulatory risks, as seen in the recent case ofArtifex vs. Hancom, in which Hancom failed to comply with open-source licensing requirements and was held accountable in court.
In order to map their software supply chain, managers should encourage or enforce disclosures concerning open-source code. Forcing developers to document their usage of third-party code may be a hassle, but it is a necessary part of a good software risk management strategy.
2. Check and re-check any third-party code.
If your project is using third-party code to add functionality to your software, that code needs to be carefully verified. Without verification, third-party code could expose your company or your clients to significant risk.
Code verification tools like Veracode can be embedded into the software development lifecycle so developers can implement code securely without sacrificing time.
One of the biggest software development risks is the possibility of knowledge loss. As noted by theMIT Sloan Review, “knowledge loss resulting from employee turnover is becoming a critical issue that cannot be ignored.”
This is especially true for software developers, as style and documentation methods can vary from one coder to the next. If a key developer leaves mid-project, important deadlines can be missed, and in the worst cases, contracts can be lost.
To counteract this problem, project and product managers must act proactively, implementing policies that encourage taking proper notes and keeping development diaries. In addition, managers should hold regular check-in meetings with each developer, and record those meetings for future reference.
Technology companies can be impacted by weaknesses in the software supply chain. Unknown or unaddressed usage of open-source software can result in lawsuits. Operational issues can hinder progress during software development and deployment.
To overcome these risks and ensure the on-time launch of their software projects, managers must take responsibility for software risk management. Thankfully, using a combination of policies and risk management tools, a safer project is well within reach.
What’s the biggest struggle your vendor risk managers face when establishing cyber security monitoring processes? From sudden increases in the use of third-parties by your organization, to not knowing which vendors might be impacted by the...
If you’re using a “one-size fits all” approach to managing your vendor lifecycle, you are missing opportunities to save money and operate more efficiently. Vendor management efficiencies don’t end in the onboarding stage: using a...
If you’re experiencing frustrating delays and procedural roadblocks during your vendor management process, you’re not alone. Security managers are seeing an increase in the number of third-parties integrating with their business, and ...