Software of Unknown Pedigree: SOUP. Once an industry buzzword around safety-involved or critical systems like medical software, this term deserves resurrection. Mid-size businesses and enterprises leverage more third-party software than ever for business-critical functions. Technology increasingly instills itself in every area of our daily lives, which is a trend that shows no sign of slowing and feels inevitable. The number of safety-involved and critical systems that run on software is increasing in parallel. From Near Field Communication technology to utilities, the growing landscape of software means one thing to hackers: opportunity.

SOUP doesn't just deserve resurrection, it should be focused on. There's a reason identity theft is so commonplace that there's a movie being made about it. If your company stores sensitive customer data or controls any type of safety-critical software - which by the way, the list of companies that do these is growing rapidly, you need to be focusing on software security. And your focus should not only be on the software you produce; the software you resell, the software you package and put in front of customers or the software you purchase to operate your business-critical functions. Software security needs more focus, it needs widespread awareness.

Add this Infographic to Your Website for FREE!

Small Version

Large Version

Infographic by Veracode Application Security

Veracode Security Solutions

iOS Security
Web Security
Mobile Phone Security
Internet Security Scan
Web Vulnerability Scanner
Facebook Security Tips
Injection Attack
Android Mobile Security
Security Vulnerability Assessment
What is SDLC?

The Use of Vendor Supplied Software is Growing

Breakdown of Software Procurement in a Global Enterprise

  • 44% - Off the Shelf Vendors (COTS)
  • 28% - Outsourced Development
  • 15% - On-Demand (SaaS) Providers
  • 15% - Open Source Code
  • 7% - Mobile Apps Development

84% of Enterprises did not test vendor supplied applications

Why it's Important to Inspect Soup

82% of Enterprise Auditors are asking if vendor supplied software is secure

Some ingredients of S.O.U.P. may be harmful to your enterprise

Tender of Vendor-Supplied Software Inspection Failure Rate Possible Enterprise Side Effects
Customer Support Applications 80% Customer Data Loss
Security Applications 76% Gaps in enterprise security defenses against attackers
Business and IT Operations 72% Corporate IP theft or malicious process manipulation
Financial Applications 59% Increased fraud of financial data loss

No S.O.U.P. For You!

Enterprises from many industries are saying no to S.O.U.P. and inspecting vendor supplied applications

  • 21% - Financial Services
  • 14% - Software and IT Services
  • 14% - Technology
  • 6% - Telecommunications
  • 5% - Healthcare
  • 3% - Business Services
  • 3% - Entertainment and Media

Recipe Card for a Programmatic Approach to Vendor Software Security Testing

  1. Prep Time - 3 Months
  2. Test Time - 1-4 Weeks (use SaaS provider to compress testing time)
  3. Remediation Time - Weeks to Months
  4. Serves all Vendor Applications


  1. Determine the application security state of your current vendor management program and clarify the corporate mandate and goals for you new programs
  2. Define your security policy including acceptance criteria, exception criteria, escalation process, non-acceptable flaw types, testing methodologies, ect.
  3. Set realistic timelines for vendors to meet our new policy
  4. Communicate your new policy to your vendors and be prepared to address common vendor concerns
  5. Empower your security analysis team to proactively work with your vendors

Benefits of the Programmatic Approach

No Formal Program A Programmatic Approach
Average Number of Vendors Participating 4 38 (appx 10% more)
Average Number of Applications Assessed 7 71
Percent of Applications Achieving Compliance 34% 52%
Percent of Applications Achieving Compliance 28% 45%
Percent of Non Compliant Applications that are Out of Compliance for More than Six Months 39% 20%

About Neil DuPaul

Neil manages the blog pipeline at Veracode, often by fending off eager contributors with a stick. He manages much of the Veracode web presence while also motivating the more introspective Veracoders to be social. Lover of sports and outdoors, and a SERP enthusiast, hit him up on Twitter here.

Comments (1)

Jessia | November 13, 2013 6:13 am

Pretty! This was an incredibly wonderful article. Many thanks for providing these details.

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.