Software Risk Management: 3 Tips for Project & Product Managers

The development and deployment of software applications is inherently risky; a number of things can go wrong both during development and after launch. Project and product managers must stay aware of risks coming from a variety of areas, including:

  • Cyber risk (vulnerabilities leading to data breach, theft of intellectual property, malware from third-party code, etc.)

  • Operational risk (scheduling problems, delays, knowledge loss, etc.)

  • Regulatory and legal risk (GDPR compliance, industry-specific regulatory compliance, license issues for open-source code, etc.)

How can managers mitigate risks affecting their software projects? We’ve compiled some software risk management tips to help you avoid the biggest pitfalls of the development and deployment process.

1. Map the software supply chain.

Software development doesn’t happen in a vacuum. Modern software projects are rarely, if ever, built from scratch, which means each new application contains previously developed code. In fact, a significant 96% of applications scanned in a recent survey contained open-source components. In addition, many software projects are built or tested in the cloud, or using third-party devices.

[Learn How to Protect Your Digital Supply Chain]

Every third party whose code, hardware, or environments have a part to play in the development of your software should be considered part of the software supply chain (or digital supply chain). Mapping this supply chain and keeping a running log of each of the components within it can help product and project managers avoid issues.

What kind of issues? Well, third-party code can expose your software to malware, which we’ll cover in a moment.

Beyond that, however, the software supply chain can expose a project to legal and regulatory risks, as seen in the recent case of Artifex vs. Hancom, in which Hancom failed to comply with open-source licensing requirements and was held accountable in court.

In order to map their software supply chain, managers should encourage or enforce disclosures concerning open-source code. Forcing developers to document their usage of third-party code may be a hassle, but it is a necessary part of a good software risk management strategy.

2. Check and re-check any third-party code.

As we mentioned earlier, third-party code can lead to malware vulnerability. This was illustrated by the recent Ticketmaster breach, in which malware got into Ticketmaster’s codebase via “a single piece of JavaScript code” supplied by an AI search and chatbot company.

Digital Supply Chain Third Party Risk eBook
Download Now
Button Arrow

If your project is using third-party code to add functionality to your software, that code needs to be carefully verified. Without verification, third-party code could expose your company or your clients to significant risk.

Code verification tools like Veracode can be embedded into the software development lifecycle so developers can implement code securely without sacrificing time.

In addition, third-party risk management tools like BitSight Security Ratings can be used to track and continuously monitor the cybersecurity performance of third-party partners. If their security ratings are low, that could indicate poor cybersecurity practices in their code development as well.

3. Prepare for knowledge loss.

One of the biggest software development risks is the possibility of knowledge loss. As noted by the MIT Sloan Review, “knowledge loss resulting from employee turnover is becoming a critical issue that cannot be ignored.”

This is especially true for software developers, as style and documentation methods can vary from one coder to the next. If a key developer leaves mid-project, important deadlines can be missed, and in the worst cases, contracts can be lost.

To counteract this problem, project and product managers must act proactively, implementing policies that encourage taking proper notes and keeping development diaries. In addition, managers should hold regular check-in meetings with each developer, and record those meetings for future reference.

Technology companies can be impacted by weaknesses in the software supply chain. Unknown or unaddressed usage of open-source software can result in lawsuits. Operational issues can hinder progress during software development and deployment.

To overcome these risks and ensure the on-time launch of their software projects, managers must take responsibility for software risk management. Thankfully, using a combination of policies and risk management tools, a safer project is well within reach.

Learn how to protect your digital supply chain from cyber threats.