One of the things we clearly see in our platform is that more vendor applications are being tested. Our SoSS reports are not based on surveys that collect opinions, it is an analysis of data aggregated from companies as they test and secure their applications. Our platform tracks whether an application is being tested as part of an enterprise effort to test vendor software. The number of vendor apps tested is rising every quarter. So the big question is why. Why is the increase happening now? What other trends are driving the increase? We’d like to think that it’s all Veracode and the programs that we’ve launched to make it easier for enterprises to get better at managing their vendor testing programs and getting vendors to participate, and our data does show that programmatic approach gets higher participation. But we also know that larger macro trends have to be pushing enterprises to launch these programs. The macro trends that no one in IT will argue with:
- Enterprises are using more and more externally developed software, including cloud deployment and SaaS solutions. (e.g. http://www.capterra.com/blog/finding-buying-software/capterra-research-unveils-surprising-software-trends)
- There is a lot more general business media coverage of security breaches due to hacking which makes enterprise auditors nervous. Quocirca survey found “82% of enterprises get some level of inquiry about software security from auditors.”
Although research data that links specific breaches to the vendor supply chain is hard to come by. The Verizon data breach report shows “that external parties are responsible for far more data breaches than insiders and partners (98% of breaches, 99+% of records)” – but that is looking at the attacker not the source of the susceptible technology. PwC 2012 Global State of Information Security Survey gets closer, “Over the past 24 months, the number of security incidents attributed to customers, partners, and suppliers has nearly doubled.” But enterprise CISOs are smart guys they understand the macro trends and know that vendor applications often are a black box when it comes to application security risks. So if someone comes up with a way to make vendor app testing workable, they will at minimum check it out. Enter Veracode VAST Program stage left.