Digital Newsletter
Each week our editor Phil Alsop rounds up the most popular articles, videos and expert opinions. We compile this into a Digital Newsletter and send it straight to your inbox every week.
Digital Magazines
We'll let you know each time a new edition of Data Centre Solutions is released so that you're always kept up-to-date with the latest and greatest news and press releases.
Video Magazines
The Data Centre Solutions Video magazine contains the latest Zoom interviews with experts in the industry.
Mid-market software companies have never been under such scrutiny. The rise of a number of threats, regulations and practices means that they can now be scrutinised like never before. For those that have neglected AppSec, or treated it as a checkbox exercise, these recent developments should serve as a loud wake up call to get serious about software security.
Supply Chain threats
One thing the last few years have made absolutely clear is that in a globalised world, a cyberattack or technology failure on one entity or technology will have huge, cascading and catastrophic effects downstream. The 2024 CrowdStrike outages, due to a faulty configuration update to its flagship Falcon software, left thousands of businesses paralysed and purported billions lost. The SunBurst attacks saw attackers infiltrate SolarWinds popular Orion software update functions and go on to compromise governments and multinationals alike. Since then, we see new examples of exactly this every week.
Indeed, attackers are actively trying to poison the software supply chain, attempting to put malicious code into popular open source repositories and components. Many organisations - especially large enterprises - are beginning to understand that their software partners are now a key - and potentially catastrophic - risk vector.
Compliance in the Software Supply Chain
A whole raft of new regulations - largely centered within the EU - are focused on exactly this risk. Cognisant of the deep interconnection that characterises the European market, not to mention the global market, European regulators aim to stamp out systemic software risk.
The second Network and Information Systems (NIS2) directive, for example, generally focuses on large organisations deemed critical to a sector, including energy providers, critical infrastructure providers and software suppliers. These organisations will be compelled to take legal responsibility for the security of their suppliers and service providers.
Meanwhile, the Digital Operational Resilience Act (DORA) is specifically for European financial institutions but also covers ICT providers used within the sector. Under its auspices, compliant organisations will, again, have to take legal responsibility for and regularly assess the security of their suppliers and service providers.
The same is largely true of the EU AI Act. This will compel companies building AI models, applications and components to engage in meticulous documentation of the components used and build decisions made. That, of course, includes ensuring the security of third party providers and suppliers.
While these target different sectors and use cases, all these regulations focus on the security of the software supply chain, and make continuous assessment of it, a baseline requirement of compliance. That means that all those organisations who these statutes apply to will now be looking for software suppliers who will keep them compliant.
Other territories are doing similar things. US Executive Order 14028, for example, requires that software vendors that sell to the US government provide SBOMs and follow NIST guidelines on secure software development practices. Meanwhile, China’s Data Security Law (DSL) also demands that organisations monitor their software supply chain risks and Japan’s Economic Security Promotion Act means that the government must vet the supply chains of critical sectors if they draw from high risk overseas suppliers.
Audits On the Rise
Likely as a direct result of the above, more is now expected of mid-market software companies. Medium sized organisations are increasingly subject to regular audits from both clients and regulators. In fact, A-Lign’s 2026 Compliance report shows that mid-sized businesses go through around 5 audits a year, having grown from just 2 in 2024, to the same cadence as enterprises.
These are often enforced by larger partners who need to remain compliant, not only with a range of new regulations but with their insurance providers, whose cyber policies often require regular vetting of third parties.
SBOM Expectations
The rise of the Software Bill of Materials (SBOM) provides the capability to regularly review software releases. The SBOM - which is increasingly demanded by clients - lists the dependencies and components of a given software release, which recipients can then scrutinise. From there, they can see if the build decisions are sound, if its components are secure, if its dependencies are reliable and if the libraries from which it draws are still up-to-date. If they don’t like what they see, they can judge their suppliers for the quality of their work and send the release back entirely.
This should urge many to mature their AppSec programmes, ensuring that any and all vulnerabilities are found well before they ever make it to production. These are not only conditions for compliance and insurance, but increasingly, engagement with customers.
Maturing AppSec
This new level of scrutiny now bearing down on the mid-market merits greater levels of attention to application security. Still, many won’t be able to meet those rising expectations.
Their application security stacks are fragmented across numerous different tools, drowning them in alerts which offer them no context and little clarity about impending threats. Perhaps most importantly, those tools are often only focused on errors in static code and not on running applications in live environments.
Indeed, to evolve to these new circumstances organisations need to look towards unified context-aware AppSec platforms. Sometimes known as Application Security Posture Management (ASPM), these bring together the various scanning functions of classical AppSec, correlate data from across the Software Development Life Cycle (SDLC) and put them behind one central point of control. From there, they integrate into SCMs, CI/CD pipelines and environments such as AWS or Azure to not just see vulnerabilities and errors, but to intuit how they behave in live environments.
It’s that broad context - combined with DAST functionality - that allows these unified platforms to see - and validate - what causes risk at runtime. This allows users to distinguish between theoretical vulnerabilities and exploitable ones, validating those that are reachable in a live environment and eliminating those that don’t produce actual risk.
Users of ASPM platforms report finding 40% more high risk vulnerabilities and shortening remediation times by a further 40%. Furthermore, some of these platforms have confirmation accuracies as high as 99.98%, meaning that less time is wasted chasing false positives.
Whether or not the mid-market software companies are directly subject to the demands of international regulations or cyber insurance policies, they will still be shaped by them. Their clients now expect far more of them and have the technical capabilities - in the form of the SBOM - to demand it. For these companies, offering iron clad AppSec and supply chain assurance will be the thing that ensures both survival and success.
