Cassie Crossley

Software suppliers introduce risk to application security, even if proper due diligence is performed before selecting the commercial or open source supplier. Security professionals should know that AppSec is not just about writing security code; it is also about understanding your software dependencies and managing the risks introduced by your software supply chain.

A supplier relationship can either be one-sided, as is the case for open source or a licensed product, or mutual, where you have a contract with the supplier. For the one-sided supplier relationship, you can monitor for patches, updates, and vulnerabilities, but for mutual relationships, there is so much more that can be done to reduce supply chain security risk.

Signing a contract with a supplier is like a marriage, which means the dating process is just as important as the marriage. Unfortunately, suppliers are sometimes selected as quickly as “swiping right”; in other words, the supplier selection may occur without any investigation. Every supplier, however, needs to be examined for all types of risk, because supply chain security risk is much more than cybersecurity or technical risk. The MITRE Corporation’s System of Trust is a free supply chain security framework that can help any size organization identify ...