Quick assessment of application security of third-party providers.
Questions to ask & documentation
- Application usage at the company
- Categorization of data handled by the application
- Handling of updates / patching
- Dependency of the application with other applications
- Opensource?
- License (free to use? free only for individuals but not corporate?)
- Compliant with policies?
- Known vulnerabilities? Look at open bugs, especially security ones.
- Known incompatibilities?
- Security incidents found? Data breaches?
- Cloud solution?
- Support