I realised some development houses have no idea what a systems development life cycle (SDLC) was when I began reviewing security of third party applications.
I learnt that the gap between a secure and insecure solution was as vast as their understanding of the two.
Security professionals sometimes find themselves in a tough place where they are forced to deal with a vendor after the paper is already signed and any effort to improve security is dependent on the attitude of the vendor.
Some vendors, particularly those new to the security process, have a terrific attitude because they realise it builds a better product for their clients who may even be willing to work with them to get it done.
Others are completely recalcitrant and refuse to do anything unless an enhancement request is lodged and money paid. These are what I call 'bad vendors'.
This attitude is what separates the good vendors from the bad. I've seen the good vendors turn around horribly insecure applications within a year of launch, and ensure that all future applications are held up to a gold standard of secure application development.
And I've seen bad vendors try to charge for every security defect and were never used again.
Too often I've seen companies roll over for a vendor and accept substandard outcomes because they were afraid to argue or engage with them about getting things fixed.
To be fair, some vendors have a strategy of crushing the customer into accepting the delivery of insecure solutions to avoid the pain of regularly debating the need for fixes.
The art of building and maintaining trusted relationships with key strategic partners is crucial, increasingly so as we move more services into the cloud, hand more black box appliances to third parties, and develop more applications out-of-house.
If you can engage in early vendor pre-selection meetings, you may get the chance to ensure SDLC, code review, penetration testing and OWASP Top Ten are embedded into a contract.
But if you don't, your ability to lead by example, encourage their development, and recognise learning mistakes and earnest attempts at redressing issues will be what turns it around.
But you also need to recognise the bad vendors. They have no desire to improve their product, improve their service or improve their delivery.
Their job is to shake you down for every cent they can.