Vendor Risk Management

Software Risk Management: 3 Tips for Project & Product Managers

Alex Campanelli | February 19, 2019

The development and deployment of software applications is inherently risky; a number of things can go wrong both during development and after launch. Project and product managers must stay aware of risks coming from a variety of areas, including:

  • Cyber risk (vulnerabilities leading to data breach, theft of intellectual property, malware from third-party code, etc.)

  • Operational risk (scheduling problems, delays, knowledge loss, etc.)

  • Regulatory and legal risk (GDPR compliance, industry-specific regulatory compliance, license issues for open-source code, etc.)

How can managers mitigate risks affecting their software projects? We’ve compiled some software risk management tips to help you avoid the biggest pitfalls of the development and deployment process.

1. Map the software supply chain.

Software development doesn’t happen in a vacuum. Modern software projects are rarely, if ever, built from scratch, which means each new application contains previously developed code. In fact, a significant 96% of applications scanned in a recent survey contained open-source components. In addition, many software projects are built or tested in the cloud, or using third-party devices.

[Learn How to Protect Your Digital Supply Chain]

Every third party whose code, hardware, or environments have a part to play in the development of your software should be considered part of the software supply chain. Mapping this supply chain and keeping a running log of each of the components within it can help product and project managers avoid issues.

What kind of issues? Well, third-party code can expose your software to malware, which we’ll cover in a moment.

Beyond that, however, the software supply chain can expose a project to legal and regulatory risks, as seen in the recent case of Artifex vs. Hancom, in which Hancom failed to comply with open-source licensing requirements and was held accountable in court.

In order to map their software supply chain, managers should encourage or enforce disclosures concerning open-source code. Forcing developers to document their usage of third-party code may be a hassle, but it is a necessary part of a good software risk management strategy.

2. Check and re-check any third-party code.

As we mentioned earlier, third-party code can lead to malware vulnerability. This was illustrated by the recent Ticketmaster breach, in which malware got into Ticketmaster’s codebase via “a single piece of JavaScript code” supplied by an AI search and chatbot company.

If your project is using third-party code to add functionality to your software, that code needs to be carefully verified. Without verification, third-party code could expose your company or your clients to significant risk.

Code verification tools like Veracode can be embedded into the software development lifecycle so developers can implement code securely without sacrificing time.

In addition, third-party risk management tools like BitSight Security Ratings can be used to track and continuously monitor the cybersecurity performance of third-party partners. If their security ratings are low, that could indicate poor cybersecurity practices in their code development as well.

3. Prepare for knowledge loss.

One of the biggest software development risks is the possibility of knowledge loss. As noted by the MIT Sloan Review, “knowledge loss resulting from employee turnover is becoming a critical issue that cannot be ignored.”

This is especially true for software developers, as style and documentation methods can vary from one coder to the next. If a key developer leaves mid-project, important deadlines can be missed, and in the worst cases, contracts can be lost.

To counteract this problem, project and product managers must act proactively, implementing policies that encourage taking proper notes and keeping development diaries. In addition, managers should hold regular check-in meetings with each developer, and record those meetings for future reference.

Technology companies can be impacted by weaknesses in the software supply chain. Unknown or unaddressed usage of open-source software can result in lawsuits. Operational issues can hinder progress during software development and deployment.

To overcome these risks and ensure the on-time launch of their software projects, managers must take responsibility for software risk management. Thankfully, using a combination of policies and risk management tools, a safer project is well within reach.

Learn how to protect your digital supply chain from cyber threats.

Download "How to Protect Your Digital Supply Chain" Whitepaper

Suggested Posts

Can Your Vendor Assessments Be More Efficient?

If you’re using a “one-size fits all” approach to managing your vendor lifecycle, you are missing opportunities to save money and operate more efficiently. Vendor management efficiencies don’t end in the onboarding stage: using a...


Do You Have The Right Vendor Management Policies?

If you’re experiencing frustrating delays and procedural roadblocks during your vendor management process, you’re not alone. Security managers are seeing an increase in the number of third-parties integrating with their business, and ...


3 Ways To Make Your Vendor Lifecycle More Efficient

During this dynamic and stressful workplace environment 2020 has brought us, finding the most efficient ways to perform in your job has never been more important. When it comes to managing your vendor lifecycle, there are three ways you...


Subscribe to get security news and updates in your inbox.