In the wake of the Target breach, large enterprises are beginning to realize they need to take responsibility for the security of their vendors. Research by firms such as Gartner and CrowdStrike have noted that as network perimeters have hardened, attackers are increasingly targeting the IT supply chain. This is because when searching for an entry point into a large organization, cyber-criminals are looking for the path of least resistance. Often, this ends up being third-party software and components. As a result, enterprises must hold their suppliers to the same security standards for which they hold themselves and understand which components are being used in the development of applications.
Conversely, software suppliers want to win more business. To do this, they need to make their security posture easy to understand.
Questionmark - a SaaS provider of online assessment software with more than 2,500 customers – recently published a blog post outlining their security program. The post not only highlights their efforts to create and sell a secure product, but also demonstrates their consciousness of the pressures their customers are under. By getting in front of their customers’ need for independent security attestation, Questionmark is making their customers’ pain a priority. In the process, they are making their product easier to purchase and cutting out the inevitable objection from security teams during the procurement cycle.
More software suppliers should follow Questionmark’s proactive example, rather than waiting for clients to demand proof of security.