Everyone has, at some point, bought something that is faulty. If you buy a new phone and the battery burns out, you just take it back to the shop and get a replacement. But what of software? Even packaged off-the-shelf software contains errors—and those are not errors that just affect one customer, but all who use that software. For example, almost every Tuesday, Microsoft sends out patches for the latest bugs that have been uncovered in its offerings.

As recent research by Quocirca shows (Why application security is crucial), organisations today are increasingly reliant on software that they have to some extent customised or adapted, as off-the-shelf rarely makes the grade for everyone. As a result, software produced or customised by third parties forms a significant proportion of all the software applications in use in the average organisation.

However, as has already been said, software tends to contain flaws. Software applications often contain hundreds, thousands or even millions of lines of code, making it likely that at least some mistakes will have been made along the way. Accepted levels are that there will be around 0.5 significant errors per thousand lines of code, so a fairly small 10,000 line application will have five significant errors within it—somewhere.

There are numerous tools and techniques that can be used throughout the development cycle for a software application that will allow the organisation developing the program to minimise errors that could lead to vulnerabilities being exploited. These include the use of threat modelling, in which the set of possible attacks considered likely to be encountered can be defined, and static code analysis, in which automated tools are used to find bugs or flaws in the code that could be exploited. There are also tools that can be used to test the application for security holes and vulnerabilities during the development lifecycle and in test implementations. But, if you haven't developed the code yourself, how can you be sure that these processes been followed and the tests carried out and that they have been conducted with sufficient attention detail?

With hackers increasingly looking to target their attacks against applications used by businesses, as other lines of attack such as those against operating systems and web browsers are closed through the use of point security solutions, security considerations are becoming part and parcel of the procurement process for third party software applications. In these days, with stories of data breaches hitting the headlines, some of which are caused by applications being hacked for the sensitive information that they process, not requiring security certifications for application software amounts to negligence. But who are you going to trust to provide that certification? The party that developed the software? As software coders, they obviously have the development resources that they need in house, but are they also experts in security? The answer lies in third-party validation and verification.

Fortify Software, a vendor of software security assurance tools, has recently unveiled a new service to help organisations to ensure that the software applications that they purchase, outsource or even develop themselves are secure. Called Vendor Security Management, this is an on-demand service for mitigating the business risk associated with vulnerable applications. An organisation that wished to purchase an application can have their software vendor upload the binary for the application to Fortify, which will conduct scans, address any security issues found and provide detailed reports to the security team of the software vendor.

With this service, organisations do not need to worry about purchasing the tools that they need to perform the tests themselves or hiring people with the relevant knowhow and expertise for a task that may be required infrequently. Rather, they can be sure that tests have been run by dedicated experts who run this service for other customers as well, and can hence feed the knowledge gained from multiple engagements for the benefit of all customers. And for software vendors, the benefit of having Fortify perform these tests is they can be sure that serious vulnerabilities have, to the greatest extent possible, been ironed out of the application and can prove that to their customers that this has been verified by a an independent third party.

Fortify's new service allows organisations to verify that the software applications that they wish to purchase are secure and do not contain vulnerabilities that could be exploited before they commit to buying them. This could save them a great deal of money—either money that does not have to be spent on clearing up after a security breach or that which would be required to hire the resources necessary do the job for themselves. Modern society is built around specialisation—architects, doctors and software testers are just some examples. There are times when specialised tasks are best left to the experts.