Software development organizations today are frequently stuck in the middle of conflicting business priorities. On the one hand, they need to help their respective organizations deliver innovative products and services out to market quicker than competitors. On the other, they are responsible for delivering high quality, highly secure code that helps them drive customer satisfaction and mitigate risk. On top of all that, both the development and QA functions are under increasing pressure to reduce costs and drive further efficiencies. All these factors make for the perfect storm of software development. This slideshow features the top concerns in software supply chain management, as identified by Coverity.
Click through for the top concerns in software supply chain management, as identified by Coverity.
In a recent survey by Forrester Consulting and Coverity, 90 percent of respondents confirmed they use third-party supplied code from commercial vendors, outsourced teams or open source providers. And this trend appears to be on the increase: many organizations today are reliant on a cocktail of software code from multiple sources. Unfortunately, your customer only sees one label on the bottle — yours!
Poorly tested third-party code can result in product delays or recalls, security vulnerabilities and increases in development time for your products and services. All this could seriously and negatively impact your revenue and brand. In a recent survey by Forrester Consulting, only 44 percent of companies surveyed conduct automated code testing during development for third-party code, compared to 69 percent that use automated code testing for internally developed software. Only 35 percent of companies conduct risk, security or vulnerabilities assessments for third-party code, compared to 70 percent of companies deploying these methods on their internally developed software. And only 35 percent of companies apply manual code review to third-party supplied software, compared to 68 percent who perform manual code review on internally developed code. In short, third-party code is not tested in the same way as in-house code.
Software development projects today are characterized by a perfect storm of conflicting priorities and often comprise a cocktail of code from multiple sources. This results in an unequal distribution of risk and reward across software development ecosystems. In the same report, Forrester found that in nearly one out of every two cases, the buyer side is held 100 percent responsible for quality and security issues found in third-party code, compared to one in every ten cases where the third-party supplier is held 100 percent accountable. The study also confirmed that developers are taking on additional responsibility with more than 74 percent of respondents stating that developers are held more accountable for quality and security goals than a year ago.
The previous points don't mean that development teams aren't doing their job. Instead, these results emphasize the need to extend software integrity standards across all suppliers, internal and external. Developer testing, including technologies such as static analysis, can be a great way to ensure these standards by holding suppliers to a maximum number of defects per lines of code.