Software buyers are increasingly focusing on security as a requirement in the product they purchase. This is far from a bad thing — it's how these software buyers ensure their employees and customers are secure. But it can represent a roadblock for the vendors that supply the software products. Suddenly, testimonials and self-attestations don't carry the weight they once did, leaving independent software vendors (ISVs) to find new approaches to sell their products.
Fortunately, overcoming hurdles in this new age of security awareness comes down to documentation, specifically through automated security audits and related education and remediation techniques. For companies looking to provide evidence of secure software to existing clients or to make the cut on a buyer's preapproved list of vendors, self-imposed automated security audits can show you do more than walk the proverbial walk. In fact, they're documented proof of a security-minded vendor — just the kind of ISV these buyers seek.
Staying secure means more than simply telling a buyer that your products are secure. A thorough security audit is good on its own merits, even before considering its power as a marketing/sales tool. Keeping your products secure means your clients, their customers and any others using a product containing your code are safer from digital attacks.
That said, B2B software sales differs from selling to a standard consumer base. Companies that have a presence in the consumer software market can often drum up sales with recognition and slick marketing. However, the software vendors providing scripts, libraries, chunks of custom code, premade components, and full products often need tangible evidence of embedding security into their development process just to get a foot in the door. The more standards-driven a given industry is, the trickier it gets.
Of course, this "evidence" comprises items that depend on what the buying party is looking for. From PCI to the OWASP Top 10 and beyond, most companies want proof of compliance and/or experience with some set of standards — even if that desire comes from a general security concern instead of an industry-wide mandate.
Self-imposed security audits are proof of an ISV's commitment to a given set of standards. They also prove the ISV is concerned enough with security to evaluate its products before being asked to, offering potential and existing clients the peace of mind that comes with partnering with a responsible, security-minded third party.
Automated security-auditing measures make self-imposed auditing a good proposition from cost and documentation standpoints as well. Instead of bringing in additional hard-to-find application security experts or relying on manual penetration testing, automated software secuirty audits make finding errors and remediating the conceptual problems that cause them quicker and less expensive than traditional, manual options. Plus, using the platform's findings to create a detailed audit trail makes business sense for both vendors and their buyers.
This sort of low-level detail can be a crucial selling point during procurement or renewal with an existing client. When security objections do pop up, being able to provide detailed, documented results is far better than making promises or blabbering through an answer. And this is before considering the countless "trusted vendor" repositories used by buyers across the industry: Having your company's name on a trusted list can be a huge feather in your cap, and sometimes it's the only way to initiate dialogue with a potential new customer.
Thorough security auditing involves a combination of testing techniques, performed by an independent application security expert. Static analysis tools allow for a full audit without needing so much as a peek at your source code, giving you the best aspects of manual testing with none of the costs or effort required to bring new experts on board.
If you work in an industry bound by strict standards, there's a good chance auditing is already a way of life for your company. Automating it is just the next logical step.
If not, you should still consider voluntary, self-undertaken security audits the way of the future, because they are. Wherever your company's development interests lie, the software seller scene is a competitive one. Being able to provide proof of secure, standards-driven code is less a selling point than it is a competent organization's calling card. Think of security audit documentation as that slick, back-of-the-box text — only this time, it actually means something.
Photo Source: Wikimedia Commons