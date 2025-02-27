In 1965, Ralph Nader’s groundbreaking book Unsafe at Any Speed exposed how car manufacturers prioritised style, performance, and profit over the safety of drivers and passengers. His narrative spurred public outrage and catalysed sweeping changes, including the widespread adoption of seatbelts and other safety innovations. As the former CISA director Jen Easterly noted earlier this year, today we find ourselves at a similar inflection point in the software development domain.

Prioritizsng speed and product features, secure software development is often treated as an afterthought. Cyber threats are becoming more sophisticated, and if organisations do not demand early introduction and better integration of security measures from their software suppliers, they might face severe consequences.

Third-party suppliers your first-party risk Organisations today increasingly rely on Software as a Service (SaaS), embedding it deeply into their infrastructure and business operations because it is cheaper and more efficient. Although these solutions offer scalability and efficiency, they also introduce significant risk. Yet, we now live in an era dominated by artificial intelligence (AI) where traditional security boundaries are being circumvented. Given the vast amount of data exchanged between systems and the numerous actors involved in the supply chain, the impact of a cyber incident related to software development flaws is now greater than ever before. The scale and complexity of data requiring protection have skyrocketed, as AI now generates, aggregates, and shares vast amounts of data across organisations and third-parties. The 2024 Data Breach Investigations Report from Verizon reveals that 15% of breaches involved a third-party or supplier, such as software supply chains, hosting partner infrastructures, or data custodians. This number has been rising year-over-year, and it highlights the urgent need for organisations to rethink their approach to third-party risk management. One of the biggest mistakes companies make in vendor assessments is focusing solely on vendor security compliance rather than product security. Many organisations send out lengthy questionnaires to vendors about their Information Security Management System (ISMS) but fail to scrutinize their application and product security. Certifications and compliance attestations, such as ISO 27001, SOC 2, PCI DSS, and GDPR, are often viewed as security benchmarks, but they do not necessarily guarantee continuous secure software development practices. Some vendors may hold these certifications; however, certain products of their portfolio may fall outside the scope of these security standards and frameworks. If overlooked, this blind spot can lead to significant security risks. An organisation may assume a certified vendor has robust security measures in place, only to later discover that the specific product they are using lacks fundamental security controls.

