<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1175921925807459&amp;ev=PageView&amp;noscript=1">
Vendor Risk Management

Software Risk Management: 3 Tips for Project & Product Managers

Alex Campanelli | February 19, 2019

The development and deployment of software applications is inherently risky; a number of things can go wrong both during development and after launch. Project and product managers must stay aware of risks coming from a variety of areas, including:

  • Cyber risk (vulnerabilities leading to data breach, theft of intellectual property, malware from third-party code, etc.)

  • Operational risk (scheduling problems, delays, knowledge loss, etc.)

  • Regulatory and legal risk (GDPR compliance, industry-specific regulatory compliance, license issues for open-source code, etc.)

How can managers mitigate risks affecting their software projects? We’ve compiled some software risk management tips to help you avoid the biggest pitfalls of the development and deployment process.

1. Map the software supply chain.

Software development doesn’t happen in a vacuum. Modern software projects are rarely, if ever, built from scratch, which means each new application contains previously developed code. In fact, a significant 96% of applications scanned in a recent survey contained open-source components. In addition, many software projects are built or tested in the cloud, or using third-party devices.

[Learn How to Protect Your Digital Supply Chain]

Every third party whose code, hardware, or environments have a part to play in the development of your software should be considered part of the software supply chain. Mapping this supply chain and keeping a running log of each of the components within it can help product and project managers avoid issues.

What kind of issues? Well, third-party code can expose your software to malware, which we’ll cover in a moment.

Beyond that, however, the software supply chain can expose a project to legal and regulatory risks, as seen in the recent case of Artifex vs. Hancom, in which Hancom failed to comply with open-source licensing requirements and was held accountable in court.

In order to map their software supply chain, managers should encourage or enforce disclosures concerning open-source code. Forcing developers to document their usage of third-party code may be a hassle, but it is a necessary part of a good software risk management strategy.

2. Check and re-check any third-party code.

As we mentioned earlier, third-party code can lead to malware vulnerability. This was illustrated by the recent Ticketmaster breach, in which malware got into Ticketmaster’s codebase via “a single piece of JavaScript code” supplied by an AI search and chatbot company.

If your project is using third-party code to add functionality to your software, that code needs to be carefully verified. Without verification, third-party code could expose your company or your clients to significant risk.

Code verification tools like Veracode can be embedded into the software development lifecycle so developers can implement code securely without sacrificing time.

In addition, third-party risk management tools like BitSight Security Ratings can be used to track and continuously monitor the cybersecurity performance of third-party partners. If their security ratings are low, that could indicate poor cybersecurity practices in their code development as well.

3. Prepare for knowledge loss.

One of the biggest software development risks is the possibility of knowledge loss. As noted by the MIT Sloan Review, “knowledge loss resulting from employee turnover is becoming a critical issue that cannot be ignored.”

This is especially true for software developers, as style and documentation methods can vary from one coder to the next. If a key developer leaves mid-project, important deadlines can be missed, and in the worst cases, contracts can be lost.

To counteract this problem, project and product managers must act proactively, implementing policies that encourage taking proper notes and keeping development diaries. In addition, managers should hold regular check-in meetings with each developer, and record those meetings for future reference.

Technology companies can be impacted by weaknesses in the software supply chain. Unknown or unaddressed usage of open-source software can result in lawsuits. Operational issues can hinder progress during software development and deployment.

To overcome these risks and ensure the on-time launch of their software projects, managers must take responsibility for software risk management. Thankfully, using a combination of policies and risk management tools, a safer project is well within reach.

Learn how to protect your digital supply chain from cyber threats.

Download "How to Protect Your Digital Supply Chain" Whitepaper

Suggested Posts

A Vendor Risk Management Questionnaire Template

IT Risk Assessment Questions for Third Parties

Digital relationships with third-party vendors increase opportunities for growth, but they also increase opportunities for cyberattacks — a recent study found that 61% of U.S. companies said...

READ MORE »

Worthwhile TPRM Certifications for Security & Risk Professionals

As the importance of third-party risk management (TPRM) continues to grow, organizations are hiring for related roles more seriously than ever before. To compensate, security and risk professionals are seeking out certification programs in...

READ MORE »

Which Third-Party Risk Management Tools Do You Really Need?

With high-profile breaches being traced back to supply chain vulnerabilities and a regulatory environment that’s waking up to the realities of vendor risk, many organizations are investing heavily in third-party risk management (TPRM)...

READ MORE »

Subscribe to get security news and updates in your inbox.