Managing Client Side Applications and Vendor "compatibility"

[Chris Green <cmgreen () UAB EDU>]

Good day,

 

One of the recurring themes I keep running into is third-party vendor
"compatibility" with desktop applications.

 

Scenario usually plays out something like:

 

1)      Vendor Releases Software

2)      Vendor Certifies Client Side App (CSA) 1.0 for use with their
software

3)      Security Team reads "security vulnerability in CSA 1.0, upgrade
to CSA 1.1 immediately)

4)      Team managing vendor relationship pushes back with
"compatibility" statements

 

There's a classic struggle between managing the risk that a computer
will be exploited due to something the user follows versus the risk the
vendor application breaks.  How do you all handle that?

 

I think the only real solution is to have teams responsible for testing
apps and making sure the unsupported versions work acceptably and eat
the cost.   This is a hard solution to sell in the face of limited
resources since the person funding the app often thinks the vendor is
the one that should be telling them when they can upgrade CSA. 

 

Does anyone have success or horror stories on managing this problem?

 

Thanks,

Chris

--

Chris Green

UAB Data Security, 205-975-0842