Problem solve Get help with specific problems with your technologies, process and projects.

Can a vendor be convinced to add security to its application development process?

In this expert response, security management pro Mike Rothman unveils several ways in which organizations can influence vendors to make security a bigger priority in the application development life cycle.

Our company is a long-time customer of a major application vendor. Its products mostly fit our needs, but we're unhappy with its secure coding practices; applications just aren't built with security in mind. Since we're just one of thousands of customers, and ultimately we don't want to switch vendors, what leverage do we have to encourage the vendor to make security more of a part of the application development life cycle?
Unfortunately you are playing cards against the house and they hold all the aces. There really isn't anything you can do unless you are willing to switch vendors. Basically, you've built your business around this vendor's applications -- and for that reason it knows you aren't going to migrate to a new vendor on a whim -- so there is little to no incentive for the vendor to do much more than smile, say thanks for the feedback and go on its merry little way.

Depending on how strongly you feel about the issue and how much support you can get from your internal application...

team, you can make a public stink about your concerns. I know a lot of media outlets would jump at the chance to talk to an unsatisfied customer. That generates a lot of page views!

A somewhat less aggressive approach would be to work within your application vendor's user group. These are usually independent operations that produce newsletters, organize conferences and the like. You can network with other users to figure out if you are the only one that thinks it's a problem, and if not, then you can organize a mass movement to get the vendor's attention.

Short of that, you need to grin and bear it. Hopefully you'll also be able to make the case as to why your application teams should be consulting the security group before they commit significant time and resources in implementing insecure applications.

For more information:

  • In this expert Q&A, security pro Michael Cobb discusses whether or not third-party software tools should be used to customize applications.
  • Learn more tips and tricks on how to keep your applications secure.
  • This was last published in September 2007

    Dig Deeper on Security vendor mergers and acquisitions

    Have a question for an expert?

    Please add a title for your question

    Get answers from a TechTarget expert on whatever's puzzling you.

    You will be able to add details on the next page.

    Start the conversation

    Send me notifications when other members comment.

    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

    Please create a username to comment.