According to Jon Arnold, the European MD of the firm, just five or six years ago, the term `software assurance' was a new topic, but IT managers of the day found that assurance checking generated a lot of false positives.
"We've now managed to get the numbers down, but realised a year or so ago that clients were checking their internally-developed code, but were reliant on the external supply chain for checking third-party code in most cases", he told Infosecurity.
In order to gauge out the scale of the problem, Arnold and his colleagues commissioned Forrester Research to undertake a major survey of 336 IT professionals in the US and Europe.
Researchers found that a skewed risk-to-responsibility issue was forming in the software development stages and highlighted the impact software defects have on business.
More than 90% of respondents confirmed they use third party supplied code from commercial vendors, outsourced teams, or open source providers, and more than 40% said that problems from third party code resulting in product delays or recalls, security vulnerabilities, an increase in development time, and revenue impact, have caused them to seek greater visibility when it comes code integrity.
The Coverity survey also found that around 65% of companies say that customer satisfaction is impacted by software defects, whilst 47% believe that time-to-market is also impacted by software defects.
Only 44% of companies conduct automated code testing during development for third party code, compared to 69% of using automated code testing for internally developed software
Delving into the report reveals that quality assurance gaps were also indicated with 51% of respondents stating they perform automated functional, load and unit testing for supplied software, compared to 75% applying these QA testing methods to internally developed software.
So what's the solution to these issues?, we asked Arnold.
It's important, he says, that IT managers mandate that third party suppliers mandate the use of QA testing and code assurance systems, as well as employing a policy - that can be enforced - on verifying that software assurance is taking place.
"It comes down to integrity control - and it works both ways, as everyone wins if software assurance procedures are followed. It proves that software suppliers are performing testing, and due diligence", he says.
Overall, Arnold thinks that our industry is waking up to the issue, but, even so, some companies are only just becoming aware of the QA issue with third-party code.
"We need to move the QA element further into the [software] development cycle", he noted.