Contributor: Cassie Crossley, VP Supply Chain Security, Schneider Electric
I’m frequently asked how to evaluate vendors, especially from those that don’t have a procurement staff dedicated to the task, or from those that are in cybersecurity who are often excluded from purchasing decisions. Unfortunately, there is not a straight, simple, or easy answer. However, there are two fundamental assessments I recommend in my book, “Software Supply Chain Security: Securing the End-to-End Supply Chain for Software, Firmware, and Hardware.”
The fundamentals include the following:
I can almost always assess the general software security posture by reviewing these two assessments. If a vendor has a description of their product security posture on their website, in a posture paper, or by displaying product security certifications, that usually informs me their organization has recognized the importance and mission of product security, application security, and software security. This transparency is still rarely seen on small to mid-size organizational websites, usually because their product security programs are in the beginning stages. Generally, organizations begin with vulnerability disclosure policies and security notices before progressing to advanced transparency such as posture papers and product security certifications.
Just as a picture is worth a thousand words, evidence of security demonstrates maturity in their development cycle. When an organization can share reports from software composition analysis (SCA) tools, product security reviews, and penetration tests, it is clear they have a strong baseline of software security practices. The report details are usually redacted or summarized, but the fact that evidence exists demonstrates that software security practices are compulsory within the organizations.
An aspect that is sometimes missed by organizations, conversely, is the use of IT controls for the development environments and processes. Development environments are not the same as standard corporate environments and systems. By asking for the policies and controls regarding development systems, build environments, and other non-production infrastructure, the organization may or may not be able to prove the use of secure environments and repeatable practices for designing, developing, building, testing, and deploying products.
Cybersecurity must be intentional. The same holds true for software security. Incorporating product security assessments into the vendor selection and evaluation process is essential to observe and assess the software security of a potential vendor. It does not take much time to assess vendors for the software security fundamentals, and it will quickly show a degree of the software security maturity which should then be used for risk analysis and decision criteria.
Learn More and Take the Next Step
Cassie Crossley is an experienced cybersecurity technology executive in Information Technology and Product Development and author of “Software Supply Chain Security: Securing the End-to-End Supply Chain for Software, Firmware, and Hardware.” She has many years of business and technical leadership experience in supply chain security, cybersecurity, product/application security, software/firmware development, program management, and data privacy. Cassie has designed frameworks and oper
ating models for end-to-end security in software development lifecycles, third party risk management, cybersecurity governance, and cybersecurity initiatives. She is a member of the CISA SBOM working groups and presents frequently on the topic of SBOMs and Supply Chain Security.