Chapter 9. Suppliers

Suppliers can introduce risks to you through the people, practices, code, and technologies that they use to build their product or service. A single code library provided by a supplier, for example, can introduce critical vulnerabilities into your organization, products, or services. Your organization likely has a process for selecting suppliers, which usually includes an evaluation of the supplier’s financial health, the quality of the product it produces, and its ability to deliver the volumes you need. When reviewing criteria for a potential supplier, cybersecurity should also be a weighted factor in your overall evaluation. These supplier evaluations now assess the risk of cybersecurity issues, data breaches, and regulatory compliance, or are used to meet insurance requirements. The evaluations are important, but they may not address the key risks for the supplier’s scope of products or services. For example, the cybersecurity posture of a supplier’s websites and attack surfaces does not necessarily mean that the supplier uses a secure software development lifecycle process or monitors its development environments.

Throughout this chapter, I use the term “supplier” to represent the direct supplier or vendor who provides goods or services to your organization, which would make it a “third-party” supplier. Each third-party supplier may have multiple suppliers itself, making them your fourth-party suppliers. This continues upstream to the fifth party all ...