Vendor consolidation can make securing software simpler, easier, and better—if you do it correctly

Diversity is generally viewed as a good thing and for good reason. All things monoculture, monochromatic, monopolistic, and monolithic can range from boring (hence monotonous) to unhealthy…to dangerous.

But maybe not so much when it comes to what is the most effective and efficient way to build secure software. One of the latest industry trends, documented by analyst firm Gartner in its “Top Trends in Cybersecurity 2022” report, is that 75% of security and risk management leaders—up from 29% two years earlier—are looking to decrease the diversity of the vendors they use to provide software security tools and services “driven by the need to reduce complexity, leverage commonalities, reduce administration overhead and provide more effective security.”

Put a bit more plainly, they’re seeking simpler, cheaper, and better.

The consolidation concept is not new. Experts have warned for years about the risks of “tool sprawl” after multiple surveys found that organizations were running 25 to 49 security tools from as many as 10 different vendors.

For starters, multiple tools doing the same thing are almost certain to be duplicative overkill. Beyond that, too many tools can generate so many alerts that they overwhelm development teams. The alerts become background noise and are ignored—the exact opposite of the intent. Instead of improving security, the use of multiple tools undermines it.

Today, similar thinking is being applied to what could be called “vendor sprawl.” Or as the more common cliché puts it, “too many cooks” syndrome.

The reality is that the systems, interfaces, and tools of different vendors don’t always play nicely together, even if some of those tools are considered best of breed. When they don’t, organizations have to hire and train staff to manage multiple incompatibilities.

Gartner noted that most organizations can’t afford this kind of complex management. “The technical security staff necessary to effectively integrate a best-of-breed portfolio of security products is simply not available to most organizations,” according to the report.

So, there are clearly potential rewards in the consolidation trend—especially in a weakened economy with numerous financial experts warning of recession.

Indeed, most people make major purchases from a single vendor. You don’t buy a car with an engine from one brand, brakes from another, and an infotainment system from yet another. While a single brand may not offer best-of-breed in every system or component, buyers make their choice based on what they consider most important. These days, better mileage and longevity may easily trump comfortable seats or a series of luxury features.

Still, there are potential risks as well. Another cliché warns about the risks of putting all your eggs in one basket. Financial advisers constantly harp on that, too, telling clients to maintain a diversified portfolio so they can balance their risk. If one investment collapses, it doesn’t wipe out your entire nest egg.

So, if you’re an organization looking to consolidate down to one or two vendors, the message isn’t to abandon the idea, it’s to do it very carefully. In most cases, you’ll be living with the decision for several years through a long-term contract. If you choose poorly, that could mean a long-term headache.

And this leads to the main question: What are the best ways to vet a potential security vendor?

Start with the portfolio. If you’re going to use the products and services of a single vendor, it’s crucial that the vendor meets all your multiple security needs. It’s not good enough for just one of the so-called “essential three” automated tools, such as static application security testing (SAST), to be among the best available if the other two—software composition analysis (SCA) and dynamic application security testing (DAST)—are more like add-ons, amounting to fries with your burger.

To invoke another image, if you’ve got weak links in your chain, your whole chain is weak, and that is toxic in a software development life cycle where doing the right test at the right time is the only way to ensure that security gets built-in during the hyperdrive speed of development. Keep in mind, too, that software risk is business risk.

Demand an open platform. Consolidation isn’t going to be an overnight event where you turn off six switches and leave one on. As Jim Ivers, vice president of marketing with the Synopsys Software Integrity Group, puts it, vendor consolidation is “the equivalent of changing the tires on a moving vehicle.” To do the software security version of this type of switch, you need a platform that will enable you to leverage your existing security testing tools to simplify the transition. Without it, there will be testing gaps—exactly what you don’t want.

Verify stability and longevity. Any potential vendor is going to be a partner for a while. Does it have a history of evolving its portfolio to keep pace with rapidly evolving development techniques and threats?

In short, consolidation can be good or bad for you, depending on how you do it. So, to stay on the good side, take the time to do it in a way that will help you build trust in your software.

If you need help, the Synopsys Software Integrity Group meets or exceeds the portfolio, platform, stability, and longevity standards, and it’s not just the company saying so. For the seventh year in a row, Gartner has placed Synopsys at the top of its Magic Quadrant for Application Security Testing.  To learn more, visit us here.