Third-party software is a manageable threat

This is a guest post for the Computer Weekly Developer Network by Rutul Dave, senior software developer with Coverity and & Chris Adlard, the company’s EMEA marketing director.

In a recent webcast, Forrester Research (alongside Coverity) presented the topic: “Is Untested Third-Party Code Threatening Your Business?” It was clear from the questions and comments that this issue is a growing concern — and businesses are looking to gain better visibility into software risks across development organisations.

In one of the polling questions, 58% of the attendees indicated that they had experienced a negative impact on their business due to third-party code supplied from outsourcing partners, open source and offshore teams. Considering this result, it wasn’t surprising that many were interested to hear directly from Dr. Chenxi Wang, principle analyst with Forrester Research, about the key findings from the Forrester Consulting Software Integrity Risk Report.

(Note: This reports suggests that all organisations use third party code and 50% use it extensively or regularly. According to the report, less than 50% of the respondents tested third-party code with the same rigor as internally developed code.)

The software integrity research surveyed 336 software development influencers in North America and Europe on current practices and market trends for managing software quality, security and safety.

The findings revealed that today’s environment businesses are impacted by software defects.

Dr. Wang explained, “While a development team might be implementing better practices in their internal development process like rigorous code reviews and unit testing, they always fell on the sword when they leveraged third-party code that had not been held to the same testing rigour.”

Due to these impacts, development teams were now being held more accountable for customer satisfaction. Unsurprisingly, software integrity is now an essential part of the development organisation’s responsibilities. Developers need to ensure their software meets the highest standards for quality, works reliably in safety-critical systems, and is free of exploitable security vulnerabilities.


As the findings were shared, many attendees asked the popular question: “How can developers get ahead of these trends and reduce the risk of using insufficiently tested software?”

The short answer is by using available technology to your advantage. Developers have the least visibility into the quality of third-party code. This is clearly where an automated code testing technique like static analysis would be the quickest and most cost-effective way to gain that visibility. Static analysis can help identify the most critical bugs in C/C++, Java, and C# codebases, and to provide early warning into any software or business risks. It gives developers complete control of the entire software supply chain – in other words – providing complete visibility of critical issues.

As the presentations concluded and Q&A began, the majority of the questions raised surrounded the topic of implementation. It was clear that the attendees – 39% of which openly confessed to not currently using a static analysis solution – were now very ready to take action and to invest in a technology that could make software integrity happen.

On the webcast, developers asked a number of additional technical questions, not all of which we had time to answer in the allocated session. In our conclusion, we suggested that static analysis is an essential part of developer-side software testing and that organisations need to look at code governance solutions (such as Coverity), in order to more effectively manage software code provided by 3rd party suppliers.

Ed: just one name-checking product plug right at the end? We’ll allow that ☺