How do you handle vendor and software assments?

IRJ

How do you guys handle brining in new vendors and software? Do you use questionnaires for vendor to fill out? How many questions do you ask? Who is making final call to actually bring in these vendors or software from a security prospective?

Dashrender

@IRJ said in How do you handle vendor and software assments?:

How do you guys handle brining in new vendors and software? Do you use questionnaires for vendor to fill out? How many questions do you ask? Who is making final call to actually bring in these vendors or software from a security prospective?

In my case - I do sent them a list of questions. Sadly though, the BOD has generally already decided what we are going to use before I'm (IT) is asked.

Short of me pointing out a very bad security issue (haven't run into that yet) they'll go through with poor decisions - even if I give them better options.

IRJ

@Dashrender said in How do you handle vendor and software assments?:

@IRJ said in How do you handle vendor and software assments?:

Short o me pointing out a very bad security issue (haven't run into that yet) they'll go through with poor decisions - even if I give them better options.

You've never seen a security issue with a vendor? What kind of vendors do you have?

Dashrender

@IRJ said in How do you handle vendor and software assments?:

@Dashrender said in How do you handle vendor and software assments?:

@IRJ said in How do you handle vendor and software assments?:

Short o me pointing out a very bad security issue (haven't run into that yet) they'll go through with poor decisions - even if I give them better options.

You've never seen a security issue with a vendor? What kind of vendors do you have?

No, that's not what I'm saying - Since they have allowed me to ask the questions - I haven't run into a situation where they wanted us to have say - Java or Flash to use their crap. those are two examples where I would implore them not to use that solution and allow me to find something else.

travisdh1

@IRJ said in How do you handle vendor and software assments?:

@Dashrender said in How do you handle vendor and software assments?:

@IRJ said in How do you handle vendor and software assments?:

Short o me pointing out a very bad security issue (haven't run into that yet) they'll go through with poor decisions - even if I give them better options.

You've never seen a security issue with a vendor? What kind of vendors do you have?

I have, tried to nix the vendor. They were claiming that md5 was still adequate protection around 2015, well after it was known not to be.

IRJ

Here is a good solution!

https://www.mangolassi.it/topic/18935/vsaq-open-source-vendor-security-assessment