You can use SD Elements to provide detailed security requirements to third party software developers. The third party can provide completion status and notes on tasks, and you may wish to verify the tasks through security testing. This will provide much greater assurance of security than testing alone.
Generally speaking you will need to negotiate use of SD Elements/inclusion of security requirements as part of a contract or during Request For Proposal (RFP) time. Some clients have vendors compete on security status using SD Elements during the RFP process as one criterion for selecting software.
To use SD Elements with third party software, use the following process:
1. Model the third party software in SD Elements.
Note that you, rather than the third party vendor, should answer the project settings. Vendors may attempt to answer the questionnaire in such a way as to reduce the number of tasks from SD Elements. You can always ask the vendor clarification questions around areas you are unsure of, such as technology stack.
2. Decide if you want the vendor to focus on high-risk tasks or all tasks.
3. Create a new project role specifically for vendors with limited access. Specifically only allow:
- Tasks: Write notes on tasks
- Project Management: View project
4. Share the generated project tasks with the vendor.
You will receive substantial visibility into the risk of third party software if you follow the guidance below:
- Create a user for the vendor and add them to the project. Assign the vendor the custom role from the previous step:
- Provide the vendor with a link to the project. Follow the regular process for an existing or new application, but leave verification up to your internal team.
Note #1 - Access considerations: Providing SD Elements access, as above, will help foster a more engaged security partnership with your vendor. However, there may be circumstances when you don't want to provide a vendor application access to your project. In these situations you can print off the list of generated tasks using the project reports section.
Note #2 - Licensing considerations: Your license might cover third party developers access under the application-based licensing. For legacy licensing or if you have questions, your account representative can tell you more about. Keep in mind that you need to have a NDA with your third party developers and the applications being developed must be to the sole benefit of your organization for the license to extend to third party developers.