Justice League Blog
What Measures do Software Vendors Use for Software Assurance?
My last project for my former employer (Software AG) was a study of what software vendors do to achieve software assurance. The goal of the study was to see whether we (Software AG) were at, above, or below the norm, and to adjust investments in assurance accordingly. All but one of the vendors who participated are household names – these weren’t mom & pop shops, but major multi-national ISVs, most of them with sales of a billion dollars a year or more.
I presented a brief summary of the study results at the recent “Making the Business Case for Software Assurance” workshop hosted by Carnegie Mellon’s Software Engineering Institute, and sponsored by the US Department of Homeland Security. I’ll also be presenting an even briefer summary of the results at the 24th Annual Computer Security Applications Conference in December.
In my new role at Cigital, I’m hoping to be able to expand the survey beyond software vendors into e-commerce vendors, embedded software suppliers, financial institutions, etc., as well as to systematize the survey so it can be done by filling out a web form instead of as an interview. I welcome your suggestions as to how to make this project more relevant to vendors and software purchasers – and also welcome your participation in the survey, as well as suggestions on how to fund the ongoing work!
And finally, thanks to the (anonymous) vendors who participated in the first phase of the project. While I can’t thank them by name, I very much appreciate their input.
