Diversity is generally viewed as a good thing and for good reason. All things monoculture, monochromatic, monopolistic, and monolithic can range from boring (hence monotonous) to unhealthy\u2026to dangerous.\n\nBut maybe not so much when it comes to what is the most effective and efficient way to build secure software. One of the latest industry trends, documented by analyst firm Gartner in its \u201cTop Trends in Cybersecurity 2022\u201d report, is that 75% of security and risk management leaders\u2014up from 29% two years earlier\u2014are looking to decrease the diversity of the vendors they use to provide software security tools and services \u201cdriven by the need to reduce complexity, leverage commonalities, reduce administration overhead and provide more effective security.\u201d\n\nPut a bit more plainly, they\u2019re seeking simpler, cheaper, and better.\n\nThe consolidation concept is not new. Experts have warned for years about the risks of \u201ctool sprawl\u201d after multiple surveys found that organizations were running 25 to 49 security tools from as many as 10 different vendors.\n\nFor starters, multiple tools doing the same thing are almost certain to be duplicative overkill. Beyond that, too many tools can generate so many alerts that they overwhelm development teams. The alerts become background noise and are ignored\u2014the exact opposite of the intent. Instead of improving security, the use of multiple tools undermines it.\n\nToday, similar thinking is being applied to what could be called \u201cvendor sprawl.\u201d Or as the more common clich\u00e9 puts it, \u201ctoo many cooks\u201d syndrome.\n\nThe reality is that the systems, interfaces, and tools of different vendors don\u2019t always play nicely together, even if some of those tools are considered best of breed. When they don\u2019t, organizations have to hire and train staff to manage multiple incompatibilities.\n\nGartner noted that most organizations can\u2019t afford this kind of complex management. \u201cThe technical security staff necessary to effectively integrate a best-of-breed portfolio of security products is simply not available to most organizations,\u201d according to the report.\n\nSo, there are clearly potential rewards in the consolidation trend\u2014especially in a weakened economy with numerous financial experts warning of recession.\n\nIndeed, most people make major purchases from a single vendor. You don\u2019t buy a car with an engine from one brand, brakes from another, and an infotainment system from yet another. While a single brand may not offer best-of-breed in every system or component, buyers make their choice based on what they consider most important. These days, better mileage and longevity may easily trump comfortable seats or a series of luxury features.\n\nStill, there are potential risks as well. Another clich\u00e9 warns about the risks of putting all your eggs in one basket. Financial advisers constantly harp on that, too, telling clients to maintain a diversified portfolio so they can balance their risk. If one investment collapses, it doesn\u2019t wipe out your entire nest egg.\n\nSo, if you\u2019re an organization looking to consolidate down to one or two vendors, the message isn\u2019t to abandon the idea, it\u2019s to do it very carefully. In most cases, you\u2019ll be living with the decision for several years through a long-term contract. If you choose poorly, that could mean a long-term headache.\n\nAnd this leads to the main question: What are the best ways to vet a potential security vendor?\n\nStart with the portfolio. If you\u2019re going to use the products and services of a single vendor, it\u2019s crucial that the vendor meets all your multiple security needs. It\u2019s not good enough for just one of the so-called \u201cessential three\u201d automated tools, such as static application security testing (SAST), to be among the best available if the other two\u2014software composition analysis (SCA) and dynamic application security testing (DAST)\u2014are more like add-ons, amounting to fries with your burger.\n\nTo invoke another image, if you\u2019ve got weak links in your chain, your whole chain is weak, and that is toxic in a software development life cycle where doing the right test at the right time is the only way to ensure that security gets built-in during the hyperdrive speed of development. Keep in mind, too, that software risk is business risk.\n\nDemand an open platform. Consolidation isn\u2019t going to be an overnight event where you turn off six switches and leave one on. As Jim Ivers, vice president of marketing with the Synopsys Software Integrity Group, puts it, vendor consolidation is \u201cthe equivalent of changing the tires on a moving vehicle.\u201d To do the software security version of this type of switch, you need a platform that will enable you to leverage your existing security testing tools to simplify the transition. Without it, there will be testing gaps\u2014exactly what you don\u2019t want.\n\nVerify stability and longevity. Any potential vendor is going to be a partner for a while. Does it have a history of evolving its portfolio to keep pace with rapidly evolving development techniques and threats?\n\nIn short, consolidation can be good or bad for you, depending on how you do it. So, to stay on the good side, take the time to do it in a way that will help you build trust in your software.\n\nIf you need help, the Synopsys Software Integrity Group meets or exceeds the portfolio, platform, stability, and longevity standards, and it\u2019s not just the company saying so. For the seventh year in a row, Gartner has placed Synopsys at the top of its Magic Quadrant for Application Security Testing. \u00a0To learn more, visit us\u00a0here.