"To me, that says that 20% of those applications are tested before they come to Veracode," Wysopal said. "In other words, most of the (applications) haven't had any security review at all."
There are many reasons for that - from pressure on development teams to hit delivery dates, to the modular nature of most modern application development, which has lead to a heavy reliance on open source and third party software components - many of which are, themselves, vulnerable, Wysopal said.
"Developers just ignore the code that they didn't write. Their attitude is 'someone else took care of the problem, so I don't have to," he said.
Simple steps to a secure supply chain
What's a security-conscious organization to do?
Nicholas of Microsoft said that organizations should take a risk-based approach to supply chain security and not make broad-brush decisions based on crude metrics like geography. Above all else, companies should look for transparency from their software and hardware suppliers.
"It comes down to having a good set of controls," he said. "Some of it is buying from trusted vendors and resellers. Some of it is understanding the processes that go into the products and services you're building into your procurement process," he said. "You need to build the basic foundation that will allow you to understand legitimate vendors and products, then build internal control practices that can identify when something is wrong," he said.
In 2009, Microsoft teamed with other tech giants including EMC, Juniper Networks, SAP, Symantec and Nokia to form SAFECode, a group focused on software assurance. That group has published guidance on identifying and responding to risks in the supply chain.
Other for-profit, non-profit and government groups have also weighed in with advice on securing supply chains. The U.S. National Institute for Standards and Technology (NIST) published draft guidance in March (PDF) for federal agencies interested in security supply chains. In the EU, the European Network and Information Security Agency (ENISA) has also published guidance calling for more secure trust models, better vetting of hardware and software and improved technology for detecting malicious or fraudulent software.