In a recent article, Mike Vizard at CTOEdge looked at the data on the use of third-party software in the Software Integrity Risk Report, a commissioned study conducted by Forrester Consulting on behalf of Coverity, and classified it as ‘A Software Crisis Waiting to Happen’. Statistics give an accurate picture, though being an eternal optimist, I look at it as more of an opportunity where necessity drives innovation.
There is no doubt in benefit that use of third-party code offers to organizations building innovative applications and systems. You can build quickly, save on resources to develop subject expertise in-house, get to market faster, and stay ahead of the competition. But it comes with the cost of managing the risk from the third-party software, and requires organizations to think about having a consistent measure of software quality regardless of its source.
Fortunately, technology has stepped up by providing solutions to solve the need to manage the risk in third-party software. Modern static analysis offers an automated, consistent and unbiased look into the quality of any code through code testing. That claim would be tough to make merely five years ago. In addition, the data from the code testing metrics allow you to get control over software from all your sources, and to gain visibility into every part of your software system – another example where technology stepped up to meet the opportunity. It’s not a surprise that vendors who understand their dependence on third-party software have adopted modern static analysis as a part of their development process and mandate testing every line of code and every piece of software that goes onto the systems and devices that they ship.
Over the past couple of months, Andy Chou, Coverity Chief Scientist and Co-Founder, has taken us through a journey into the world of third-party code. His articles on the EBN Online blog are a must-read for anybody looking to understand the challenges of using open-source, outsourced and commercial third-party software, and code from the internal supply chain within the organization. Each article, and ensuing discussion in the comments section, contains some great recommendations to handle those challenges, and manage the inherent risk for software development groups when realizing value from use of third-party code.