Vendors can be held to published standards. The industry seems to take operational/sysadmin standards seriously when required to (HIPAA, PCI, etc), including across the client/contractor boundary. Problem is, there don't seem to be equivalent standards in widespread use for programs themselves, only the environments they're running in. That could change, if the holders of the purse strings were to demand it.
Attacks on dependencies are tricky. But it seems like the dumbest, most high-profile attacks are against the core line-of-business applications. I'm sure AT&T has the very best firewalls money can buy, but it operated a consumer-facing application which did not check whether a user-supplied primary key actually belonged to the logged-in user before displaying private data! This is the disconnect I'm talking about.
If they're being outsourced to the lowest bidder, then maybe they shouldn't be. If they're being bought off the shelf, purchasers could either demand certifications that meaningfully eliminate at least the elementary classes of vulnerabilities or go in-house and do it right.
Attacks on dependencies are tricky. But it seems like the dumbest, most high-profile attacks are against the core line-of-business applications. I'm sure AT&T has the very best firewalls money can buy, but it operated a consumer-facing application which did not check whether a user-supplied primary key actually belonged to the logged-in user before displaying private data! This is the disconnect I'm talking about.
If they're being outsourced to the lowest bidder, then maybe they shouldn't be. If they're being bought off the shelf, purchasers could either demand certifications that meaningfully eliminate at least the elementary classes of vulnerabilities or go in-house and do it right.