SAFECode has released their Principles for Software Assurance Assessment - a buyer’s guide for businesses that purchase and use software for how they should think about the security of those products. While Veracode contributed to the paper, we feel the focus is on a level of maturity that is aspirational at best for the majority of software vendors and sets an unrealistic expectation of the overall maturity in the software market. Simply put, if you only purchase software from huge, well-established ISVs - Microsoft, Adobe, CA - this paper will be of help. If you’re not buying software only from that top tier of companies, it isn’t going to be much use.
The whitepaper dedicates only a single paragraph to a process for engaging with less mature software vendors. This is an underweighted treatment to an important process that all software buyers are going to have to undertake. It sets the expectation that this will be an exception. In our experience, it is a mature software vendor that is the exception.
For working with vendors that are not huge, well-established software vendors, customers should request an assessment of the security of the software product itself through a binary static analysis assessment. This industry-accepted standard provides a point-in-time assessment of vulnerabilities within the product at the time of purchase which informs the buyer of exactly what they are getting: features, functionality, and risk.
Buyers need a process that will work for the majority of software they will purchase this year, and the next. A software buying enterprise which builds its software security assessment program around an expectation that their software vendors are following secure development practices will not be set up for success.
Buyers need a process that will work for the majority of software they will purchase this year, and the next.
The expectations in the document do not match the experience we have had working with hundreds of software vendors for our Fortune 500 enterprise customers' vendor assurance programs.
The SAFECode paper rightly calls out the updated FS-ISAC whitepaper on appropriate controls for third-party software and service suppliers as an excellent source. This paper dives into four controls that a buyer should consider for their program. These controls are additive and complement each other for building a program to assess the risk posed by third-party software products, rather than recommending a single process for evaluation. The result is a comprehensive program that addresses both mature and less mature software developing organizations as well as the issue of open source software, which SAFECode’s paper avoids.
While it is encouraging that the largest software vendors in the world are beginning to consider the need for communicating about the security of the software products they produce, a focus on only the most-mature vendors sets the wrong expectation for buyers about the overall level of maturity in the market.