Software Risk Management: 3 Tips for Project & Product Managers

Alex Campanelli | February 19, 2019 | tag: Vendor Risk Management

The development and deployment of software applications is inherently risky; a number of things can go wrong both during development and after launch. Project and product managers must stay aware of risks coming from a variety of areas, including:

  • Cyber risk (vulnerabilities leading to data breach, theft of intellectual property, malware from third-party code, etc.)

  • Operational risk (scheduling problems, delays, knowledge loss, etc.)

  • Regulatory and legal risk (GDPR compliance, industry-specific regulatory compliance, license issues for open-source code, etc.)

How can managers mitigate risks affecting their software projects? We’ve compiled some software risk management tips to help you avoid the biggest pitfalls of the development and deployment process.

1. Map the software supply chain.

Software development doesn’t happen in a vacuum. Modern software projects are rarely, if ever, built from scratch, which means each new application contains previously developed code. In fact, a significant 96% of applications scanned in a recent survey contained open-source components. In addition, many software projects are built or tested in the cloud, or using third-party devices.

[Learn How to Protect Your Digital Supply Chain]

Every third party whose code, hardware, or environments have a part to play in the development of your software should be considered part of the software supply chain (or digital supply chain). Mapping this supply chain and keeping a running log of each of the components within it can help product and project managers avoid issues.

What kind of issues? Well, third-party code can expose your software to malware, which we’ll cover in a moment.

Beyond that, however, the software supply chain can expose a project to legal and regulatory risks, as seen in the recent case of Artifex vs. Hancom, in which Hancom failed to comply with open-source licensing requirements and was held accountable in court.

In order to map their software supply chain, managers should encourage or enforce disclosures concerning open-source code. Forcing developers to document their usage of third-party code may be a hassle, but it is a necessary part of a good software risk management strategy.

2. Check and re-check any third-party code.

As we mentioned earlier, third-party code can lead to malware vulnerability. This was illustrated by the recent Ticketmaster breach, in which malware got into Ticketmaster’s codebase via “a single piece of JavaScript code” supplied by an AI search and chatbot company.

If your project is using third-party code to add functionality to your software, that code needs to be carefully verified. Without verification, third-party code could expose your company or your clients to significant risk.

Code verification tools like Veracode can be embedded into the software development lifecycle so developers can implement code securely without sacrificing time.

In addition, third-party risk management tools like BitSight Security Ratings can be used to track and continuously monitor the cybersecurity performance of third-party partners. If their security ratings are low, that could indicate poor cybersecurity practices in their code development as well.

3. Prepare for knowledge loss.

One of the biggest software development risks is the possibility of knowledge loss. As noted by the MIT Sloan Review, “knowledge loss resulting from employee turnover is becoming a critical issue that cannot be ignored.”

This is especially true for software developers, as style and documentation methods can vary from one coder to the next. If a key developer leaves mid-project, important deadlines can be missed, and in the worst cases, contracts can be lost.

To counteract this problem, project and product managers must act proactively, implementing policies that encourage taking proper notes and keeping development diaries. In addition, managers should hold regular check-in meetings with each developer, and record those meetings for future reference.

Technology companies can be impacted by weaknesses in the software supply chain. Unknown or unaddressed usage of open-source software can result in lawsuits. Operational issues can hinder progress during software development and deployment.

To overcome these risks and ensure the on-time launch of their software projects, managers must take responsibility for software risk management. Thankfully, using a combination of policies and risk management tools, a safer project is well within reach.

Learn how to protect your digital supply chain from cyber threats.

Download "How to Protect Your Digital Supply Chain" Whitepaper

Suggested Posts

BitSight Integrates With ServiceNow to Reduce Risk Throughout Vendor Management Programs

Organizations rely on third-parties to keep competitive in the marketplace. The EY global third-party risk management survey highlights that in 2019–20, over 33% of the 246 global companies surveyed were managing and monitoring...


5 Best Practices for Conducting Cyber Security Assessments

Third parties are essential to helping your business grow and stay competitive. But if you’re not careful, your trusted partnerships can introduce unwanted cyber risk and overhead into your organization.


5 Tips to Improve Cyber Security Monitoring of Your Vendors

What’s the biggest struggle your vendor risk managers face when establishing cyber security monitoring processes? From sudden increases in the use of third-parties by your organization, to not knowing which vendors might be impacted by...


Get the Weekly Cybersecurity Newsletter.