What Does Your Software Vetting Process Look Like?

It's essential to tailor your vetting process to your threat level and risk tolerance. If you're using an air-gapped PC, you likely face a sophisticated threat environment. Solutions like Cross Domain Solutions offer profound protection, but they can be pricey. There are middle-ground options like Glasswall for deep content inspection that might suit your needs without breaking the bank.

It’s important to remember that some malware can detect if it's running in a VM or sandbox. We make sure to run scans with VirusTotal and conduct full Defender scans on the installed software, but we also need tools specifically for detecting those tricky cases.

It can be a challenge when non-IT people decide they need a specific software package and just buy it without consulting us. It's even more frustrating when simple issues could be resolved by reading the manual! I've implemented a cyber security policy that allows me to refuse requests and ensures I’m not held accountable for unsupported software installations.

When it comes to cloud-integrated software, I focus on checking the EULA and licensing terms to make sure we're compliant. If it’s way over my head, I pass it up the chain. If the software isn’t available through official channels, we usually deny it unless there are significant reasons to consider it.

Yes, we've developed a process for both approvals and refusals to limit the number of apps we end up having to support. We review existing software regularly and remove any unsupported or end-of-life options. Our configuration management log keeps track of all software requests, whether they're approved or rejected.