• United States



Dangers of Third Party Software Development Highlighted by New Report

May 10, 20111 min
Core Java

If you haven’t read it, lay your hands on the new Software Integrity Risk Report from Forrester. It confirms what many of us have suspected for a long time: businesses don’t adequately review the code developed by their third party contractors. In fact, according to Forrester, only about half of companies use the same level of rigor in vetting third party code as they do for their own in-house software.

The Forrester report should serve notice that businesses must be more rigorous in their contracts with third party developers, outsource vendors, and others. Those contracts must include specific protections regarding acceptance testing, quality of code, quality assurance, development practices, use of open source and other third party code, and related matters. These are, unfortunately, exactly the type of protections that vendors frequently object to, placing their customers in the position of having to pay for code that may not have been properly vetted. Businesses must stand strong and insist on these basic protections.


Michael R. Overly is a partner and intellectual property lawyer with Foley & Lardner LLP where he focuses on drafting and negotiating technology related agreements, software licenses, hardware acquisition, development, disaster recovery, outsourcing agreements, information security agreements, e-commerce agreements, and technology use policies. He counsels clients in the areas of technology acquisition, information security, electronic commerce, and on-line law.

Mr. Overly is a member of the Technology Transactions & Outsourcing and Privacy, Security & Information Management Practices. Mr. Overly is one of the few practicing lawyers who has satisfied the rigorous requirements necessary to obtain the Certified Information System Auditor (CISA), Certified Information Privacy Professional (CIPP), Certified Information Systems Security Professional (CISSP), Information Systems Security Management Professional (ISSMP), Certified Risk and Information System Controls (CRISC) and Certified Outsourcing Professional (COP) certifications.

The opinions expressed in this blog are those of Michael R. Overly and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author