Large organizations purchase and outsource development of a ton of software – their development teams also depend on software platforms and libraries from third-party vendors to speed up internal development. Because organizations have little control over third-party source code, the company must blindly accept the risks inherent in third-party software. While many purchasing and outsourcing contracts include language about software security, it’s been a toothless requirement depending on verification questionnaires which are probably filled out by the vendor’s IT executive, who probably has a plateful of other concerns. An application security program can enable procurement departments to develop some verification teeth using application testing methodologies to determine the actual software risk which procurement can use as a leverage point during negotiations.