Can a vendor be convinced to add security to its application development process?
Our company is a long-time customer of a major application vendor. Its products mostly fit our needs, but we're unhappy with its secure coding practices; applications just aren't built with security in mind. Since we're just one of thousands of customers, and ultimately we don't want to switch vendors, what leverage do we have to encourage the vendor to make security more of a part of the application development life cycle?
Unfortunately you are playing cards against the house and they hold all the aces. There really isn't anything you can do unless you are willing to switch vendors. Basically, you've built your business around this vendor's applications -- and for that reason it knows you aren't going to migrate to a new vendor on a whim -- so there is little to no incentive for the vendor to do much more than smile, say thanks for the feedback and go on its merry little way.
Depending on how strongly you feel about the issue and how much support you can get from your internal application team, you can make a public stink about your concerns. I know a lot of media outlets would jump at the chance to talk to an unsatisfied customer. That generates a lot of page views!
A somewhat less aggressive approach would be to work within your application vendor's user group. These are usually independent operations that produce newsletters, organize conferences and the like. You can network with other users to figure out if you are the only one that thinks it's a problem, and if not, then you can organize a mass movement to get the vendor's attention.
Short of that, you need to grin and bear it. Hopefully you'll also be able to make the case as to why your application teams should be consulting the security group before they commit significant time and resources in implementing insecure applications.
For more information:
In this expert Q&A, security pro Michael Cobb discusses whether or not third-party software tools should be used to customize applications.
Learn more tips and tricks on how to keep your applications secure.
This was first published in September 2007