Organizations that purchase large amounts of software have long been in the business of managing vendors to create effective supplier communities. Activities have ranged from creating requests for proposals (RFPs) to price negotiation to monitoring on-going vendor performance. With attacks on software applications increasing, a new responsibility is emerging. Vendor Management and Procurement Professionals are now leading the efforts to manage application security risk in their software supply chain while minimizing regulatory and compliance burdens on the organization.
Procurement Professionals are in the most strategic position in recent memory to ensure minimum security quality (and risk) policies are adhered to by their software vendors. The dependence on software from third party vendors continues to rise as “build versus buy” decisions increasingly favor using commercial, open source, or outsourced software when possible. As a result, a large percentage of total security risk is coming from external sources.Veracode’s 2013 State of Software Security Report points out that this risk is not confined to outsourced software as many ‘internally developed’ applications will also be composed of some third-party components.
With an effective Vendor Application Security Testing program from Veracode, managing application security in your software supply chain is now accurate, simple, and affordable. Unlike locally installed tools that require vendors to expose source code or expensive manual security, Veracode’s cloud-based service simply assesses the vendor’s final software application (binaries). And because Veracode facilitates the program and quickly explains to vendors how the process works, with no software or hardware to install and no source code to submit, you are able to quickly make a strategic and quantifiable impact to your organization