Over the course of 2013, I witnessed a shift in security. As we learned about government surveillance and suffered through credit card replacements as a result of the Target Breach, questions of security have come to the forefront. These questions focus not just on the security of our banking institutions, but of their third-party providers. As a result, the most forward thinking executives at the largest enterprises are starting to look at the potential risk in the software their business units are purchasing rather than just the software internal development teams are producing. Large enterprises cannot risk the potential brand damage and cost of a wide spread data breach resulting from vulnerabilities found in software – even software purchased from a trusted third-party provider. They recognize the excuse that the vulnerability was in a third-party application will not cause the public to view the enterprise as an unwitting victim. In an effort to get in front of this potential risk, the largest enterprises are beginning to require their software providers to deliver proof of security along with the products themselves. This is being built into RFPs, procurement contracts, and even into policy papers. In 2012, Veracode launched the VAST program to help enterprises address the issue of third-party software security. The Veracode VAST program verifies software vendor assessments and attests to the security of externally developed software through the use of static binary analysis. If a software supplier fails to meet an enterprise’s software security standards for their purchased software, contracts are typically minimized or terminated in order to mitigate the risk. While the VAST program helps enterprises assess the risk of third-party applications, it also creates an opportunity for software providers to demonstrate their security posture and use this as a differentiator during the procurement process.
I have seen this come up again and again as more large enterprises can no longer tolerate the risk of software vulnerabilities. Which makes me ask this question of all software suppliers, why not set out to proactively demonstrate the security of your software? It will save time during future procurement processes, and if the software provider earns a third-party seal of approval once, they can use this certificate during future sales discussion – further saving time and potentially helping them win sales. The largest enterprises of the world are no longer just asking for proof, they are demanding it. Software suppliers need to be ready in 2014 as new guidance and recommendations, like the Office of the Comptroller of the Currency Risk Management Guidance for Third Party Relationships, and the FS-ISAC’s Appropriate Software Security Control Types for Third Party Service and Product Providers get built into procurement language. Even PCI Data Security Standard, version 3.0, which took effect in January, stresses that businesses and organizations that accept and/or process cards are responsible for ensuring the third parties they rely on for outsourced solutions and services use appropriate security measures. By working with Veracode, software suppliers are able to get ahead of the curve and can proactively promote the security of their products to win more customers and preserve contract renewals while receiving an independent attestation of software security. 2014 will see many changes for software suppliers as software security becomes the latest “must have” feature. Get ahead of this trend now by working with Veracode.