In 1965, Ralph Naders groundbreaking book Unsafe at Any Speed exposed how car manufacturers prioritised style, performance, and profit over the safety of drivers and passengers. His narrative spurred public outrage and catalysed sweeping changes, including the widespread adoption of seatbelts and other safety innovations. As the former CISA director Jen Easterly noted earlier this year, today we find ourselves at a similar inflection point in the software development domain.Prioritizsng speed and product features, secure software development is often treated as an afterthought. Cyber threats are becoming more sophisticated, and if organisations do not demand early introduction and better integration of security measures from their software suppliers, they might face severe consequences.Organisations today increasingly rely on Software as a Service (SaaS), embedding it deeply into their infrastructure and business operations because it is cheaper and more efficient. Although these solutions offer scalability and efficiency, they also introduce significant risk. Yet, we now live in an era dominated by artificial intelligence (AI) where traditional security boundaries are being circumvented. Given the vast amount of data exchanged between systems and the numerous actors involved in the supply chain, the impact of a cyber incident related to software development flaws is now greater than ever before.The scale and complexity of data requiring protection have skyrocketed, as AI now generates, aggregates, and shares vast amounts of data across organisations and third-parties.The 2024 Data Breach Investigations Report from Verizon reveals that 15% of breaches involved a third-party or supplier, such as software supply chains, hosting partner infrastructures, or data custodians. This number has been rising year-over-year, and it highlights the urgent need for organisations to rethink their approach to third-party risk management.One of the biggest mistakes companies make in vendor assessments is focusing solely on vendor security compliance rather than product security. Many organisations send out lengthy questionnaires to vendors about their Information Security Management System (ISMS) but fail to scrutinize their application and product security. Certifications and compliance attestations, such as ISO 27001, SOC 2, PCI DSS, and GDPR, are often viewed as security benchmarks, but they do not necessarily guarantee continuous secure software development practices.Some vendors may hold these certifications; however, certain products of their portfolio may fall outside the scope of these security standards and frameworks. If overlooked, this blind spot can lead to significant security risks. An organisation may assume a certified vendor has robust security measures in place, only to later discover that the specific product they are using lacks fundamental security controls.The Security Think Tank on secure softwareRobert Campbell, PA Consulting: Secure software procurement in 2025: A call for accountability.Tyler Shields, ESG:'Unsafe At Any Speed'. Comparing automobiles to code risk.Aditya K Sood, Aryaka:Vigilant buyers are the best recipe for accountable suppliers.To resist supply chain attacks and mitigate associated risks, organisations must push their suppliers to prioritise secure software development. This means requiring vendors to demonstrate not just security compliance but also a clear attestation and commitment to secure development practices. Here are some key initiatives organisations should implement to build an effective Third-Party Assessment Program:Expand traditional vendor security assessments: Go beyond basic cybersecurity questionnaires and challenge vendors on their application and product security measures. Tailor the program to the specific requirements and dynamics of your organization, and consider incorporating questions related to emerging technologies such as AI.Ensure Secure Software Development Lifecycle (SDLC) practices: Require vendors to provide evidence that security is incorporated at every phase of development, from design to deployment.Shift third-party risk management from domain to control: Third-party risk management is ultimately about managing business risks, not just security risks. At its core, it is a data problem. Therefore, organisations should involve data owners and relevant stakeholders in the process and educate them about the associated risks in clear business terms.Demand transparency: Get visibility into the security controls applied to software products, rather than relying solely on compliance certifications.Conduct continuous third-party risk assessment: Continuously monitor third-party vendors, as security risks evolve over time.Adopt a zero-trust mindset: Assume that every third-party connection could be a potential risk and enforce strict access controls, when possible.The digital landscape of 2025 requires a fundamental shift in how we approach software security. Just as seatbelts and safety standards revolutionised the automobile industry, robust security practices must become the norm in software development.Organisations must recognise that third-party risk is their own risk. It is no longer sufficient to rely on vendor assurances or compliance checkboxes. Instead, businesses must take a proactive stance by demanding transparency, enforcing rigorous security standards, and ensuring that secure development is a priority from the ground up. If we fail to push suppliers to develop securely, the consequences will be far-reaching, impacting not just individual companies but the entire digital ecosystem.Ejona Prei is an ISACA member and volunteer, and a longstanding cyber leader. She works as global CISO at Lindal Group, a Hamburg-based manufacturer of packaging products, and is also president of Women in Cybersecurity (WiCyS) Germany. Ejona is committed to diversity and inclusion in security, and hopes to shape a future where artificial intelligence (AI) and cyber security solutions prioritise fairness, accountability, and societal wellbeing, bridging the gap between innovation and ethics. This is her first contribution to the Computer Weekly Security Think Tank.