Securing Your Third Party Vendors (and their Source Code)

By: In: Technology Escrow On: Nov 03, 2014

Most businesses today embed applications from third-party vendors because of convenience, flexibility, and cost savings. The problem with entrusting a third party is that you need to know that the code you rely on meets the same or better standards you demand for your own code as it relates to security, reliability and provenance.

I recently attended Mass TLC’s 2014 Security Conference: Building Security into an Insecure World.  One of the breakout sessions that really grabbed my attention was “Securing Your Third Party Vendors.” It discussed how your company and products may be secure; but what about those of third-party vendors and supply chain partners? The speakers for this session included Edna Conway, Chief Security Officer, Global Supply Chain at Cisco Systems; Joshua Brickman, Director, Security Evaluations, Oracle; Sally Long, Executive Director, The Open Group; and Adam Woodbury, Principal Engineer, MITRE. Thanks to all of the speakers for addressing this important topic.

Every software product today, relies on someone else’s code at some level.  At Iron Mountain, more than half of the escrow deposits we test today contain open source and all of them rely on third party code or tools.  That makes everyone that is a “software developer” also a “software user” – and that creates risk which this group shared their experience with the audience.

According to a Forrester Research survey, four out of five developers use an open source development tool.

The panel talked about knowing where your third-party code comes from, whether its open source code or proprietary.  They talked about application testing the code and ensuring that any known vulnerabilities are plugged and patched.  In this day and age, there is lots of news almost daily about data breaches, just take a look at Home Depot & Target.  It certainly makes sense, but what about the next level? You still need to think about the code itself and the need to be able to access it when something major happens.  Ultimately, the product you sell has your logo and brand on it, your customers will hold you responsible to how it works or doesn’t. So in today’s world where every open source “developer” is also a “licensee” of software, reliant on third parties, shouldn’t you be more prepared?

What if You Could:

  1. Take the risk out of losing control when you embed third-party software?
  2. Have leverage to ensure that your third-party vendor delivered on the promise of the software?
  3. Have a mechanism to protect you even if your third-party developer closed its doors or stopped supporting your software?
  4. Have peace of mind knowing that you’re prepared for the unexpected?

Complement the use of your third-party vendor by utilizing the advantages of storing the entire code in an escrow account. Once you have it placed in the escrow account you can verify what is exactly in there and know for sure that if anything were to happen- you wouldn’t suffer any repercussions.

Think of it this way… You own a milk company, we’ll call it Moo Moo, Inc., and you are 100% sure that the milk you are producing is clean, safe, and completely healthy. But then you place it in a third-party supplier’s plastic milk jug to be shipped out to stores across the nation. You later find out that the jug has chemical toxins and they were released from the plastic into the milk and some of your consumers became really sick. Thousands of gallons of milk were recalled and you endured a cost, and blow to your reputation, factors that you were not prepared for. If you had outsourced, secured, and tested the plastic material first, then you would have been fine to continue normal business operations. However, by neither securing nor testing it, you ended up in a disruption to your business cycle since you had to wait for more plastic containers to be shipped to you and then verify that they were not chemically contaminated.

Although unfortunately we in the Technology Escrow business do not secure and verify your plastic milk bottles, we will help you manage your intellectual property and would be happy to have a discussion with you.

Thanks again to MassTLC for putting on such a thought-provoking conference!


← Big Data: Massive Opportunities, Compelling Challenges How to Ditch Your Old Office Equipment (Without a Baseball Bat) →

Leave A Comment


About the author

John Boruvka

John Boruvka, vice president for Iron Mountain’s Intellectual Property Management business unit, has been involved in the technology escrow and intellectual property management field for more than 25 years. His focus is helping companies create solutions relating to protecting intellectual property assets. Mr. Boruvka is considered an authority in the field of technology escrow and issues surrounding the role of a neutral third party in helping protect and manage intellectual property. Follow me on Twitter @JBoruvka