Leverage Security Criteria to Negotiate Contracts

Ensuring that proper security quality levels have been achieved in all business critical software purchases and outsourced application development projects should be an important part of the final vendor selection process. Typically, the purchase process involves many stakeholders including business units or functional groups that will likely view the features and functionality of the application under consideration as their main selection criteria. Thus, it is very important for Vendor Management and Procurement Professionals to strike the right balance and leverage security as an important negotiating tool but not be too rigid given the objective is to maintain a productive partnership with the suppliers of software required to run your business.

Veracode has found that incorporating security into the final negotiation process in an important and appropriate dialogue that is valued by both parties and that achieving a shared view on appropriate levels of security can be accomplished with minimum friction depending if an industry-standards based approach is used during price negotiations. The objective of the final price negotiation process is not to break the economic model of the software vendor, but to select a vendor or partner that is willing to contractually commit to delivering software of acceptable levels at time of purchase and simultaneously commit to improving its software security quality over the course of the contract.

Using Veracode in the vendor selection process can provide Procurement Professionals with a detailed understanding of the security posture of an application as well as the remediation process and estimated timeframe to improve its security quality. Use of this powerful information to structure appropriate commercial terms and conditions will assist Procurement Professionals to determine which software suppliers are truly committed to a strategic partnership versus shipping buggy code without regard to the security implications to your business.

Veracode is the industry’s first provider of cloud-based automated vendor security audits and provides this service to some of the world’s leading Vendor Management and Procurement Professionals at Global 2000 and Fortune 500 organizations. As the market leader and pioneer, our program management office is uniquely positioned to assist you determine the appropriate economic model and price negotiation approach that best suits your business objectives. The two predominant engagement models in the vendor selection process are:


The subsidy model bakes in security audits and one remediation scan into the final vendor selection process. This service is provided by the enterprise to the vendor as part of their purchase criteria. It is funded by the enterprise in year one and assumed that vendor will assume cost for future releases.


The requirements model is a requirement that is baked into the RFP process and mandates that in order to be considered for final vendor selection the software vendor must submit their software to an independent third party for security verification and provide the report to the enterprise along with the RFP.

Once the security quality of the vendor application has been determined, this information is used to negotiate price and determine acceptable levels of security quality as a pre-condition to purchase and/or develop an agreed upon remediation roadmap to improve the security quality of the software over time. Depending on the security quality and the vendor under consideration, minimum security standards such as the OWASP Top 10 or SANS Top 25 or a Veracode Security Mark are strictly enforced as a pre-condition of purchase. Should one of these levels not be achieved, price discounts are often requested to compensate the enterprise for the assumed security risk until the vulnerability is fixed. In some cases, price premiums may be paid to the software vendor for exceptional security quality given the long-term lower maintenance costs associated with high quality software.