In the wake of the Target breach, large enterprises are beginning to realize they need to take responsibility for the security of their vendors.  Research by firms such as Gartner and CrowdStrike have noted that as network perimeters have hardened, attackers are increasingly targeting the IT supply chain. This is because when searching for an entry point into a large organization, cyber-criminals are looking for the path of least resistance. Often, this ends up being third-party software and components. As a result, enterprises must hold their suppliers to the same security standards for which they hold themselves and understand which components are being used in the development of applications.

Conversely, software suppliers want to win more business. To do this, they need to make their security posture easy to understand.

Questionmark - a SaaS provider of online assessment software with more than 2,500 customers – recently published a blog post outlining their security program. The post not only highlights their efforts to create and sell a secure product, but also demonstrates their consciousness of the pressures their customers are under. By getting in front of their customers’ need for independent security attestation, Questionmark is making their customers’ pain a priority. In the process, they are making their product easier to purchase and cutting out the inevitable objection from security teams during the procurement cycle.

More software suppliers should follow Questionmark’s proactive example, rather than waiting for clients to demand proof of security.

About Anne Nielsen

Senior Product Manager for Veracode’s IT Supply Chain product line. Anne works with Veracode’s enterprise customers to reduce the risk from their third-party applications, frameworks and components. She also works with Independent Software Vendors (ISVs) to ensure they meet corporate security policies for their enterprise customers, based on minimum acceptable levels of risk.

Comments (1)

Tom | February 21, 2014 8:05 am

Vendors do need to maintain security. HOWEVER, we seem to be losing sight that Target didn't keep their network secure. The HVAC vendor was only posting electronic invoices, why did Target give the vendor access to their entire network? Target's POS, and other systems should be inaccessible. If Target did their job the vendor's hack would never cause a problem.

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.