In reading publications recently released by FS-ISAC and SAFECode on vendor management and third-party risk, I am pleased that the industry is finally coming together. We seem to finally agree on the obvious need to assess the processes under which software is made and not a particular end result. If “penetrate and patch” had any positive effect on software quality, we would have no defects left on planet Earth given how much testing has been done over the past 50 years. The Software Security Vendor Assessment Center (SSVAC) Two years ago, Synopsys created a non-profit, the Software Security Vendor Assessment Center (SSVAC), to help FS-ISAC members share vendor assessments. The SSVAC Board also agreed that the only way to really determine the health of software is to measure the process under which it is made.