Latest Report: The Gartner® Market Guide for IT Vendor Risk Management Solutions

3 Best Practices to Improve Software Supply Chain Security

Strengthen your resilience against software supply chain attacks by implementing these best practices for increasing third-party risk visibility and accelerating risk mitigation.
Scott Lang
VP, Product Marketing
January 26, 2022
Blog software supply chain 0122

Driven by the recent spate of software supply chain attacks, the United States Senate recently passed a bill aimed at improving cybersecurity training for federal procurement personnel. The Supply Chain Security Training Act will require agencies to assess and mitigate supply chain risk throughout the acquisition lifecycle. When enacted into law, the bill will require the Department of Homeland Security, NIST and other federal agencies to coordinate on the details and enforce the program. There is also a similar bill before the House of Representatives.

Prevalent believes that tighter cybersecurity provisions are essential to strengthening supply chain risk management, and we suggest all organizations – not just federal agencies – consider implementing the following best practices.

1. Broaden Vendor Due Diligence by Combining Internal Controls Assessments with External Risk Monitoring

To reduce the likelihood of a third-party software supply chain disruption, require solution providers to share information about their software development lifecycle, including:

  • where their source code comes from
  • what their quality assurance (QA) processes look like
  • what their SLAs are for vulnerability identification and remediation

While you can gather the above information using a questionnaire-based assessment, remember that assessment responses are typically accurate only for a specific point in time. It’s therefore important to augment your supplier assessments with continuously updated vendor risk data from sources including:

  • Criminal forums, onion pages, dark web special access forums, threat feeds, and paste sites for leaked credentials. Monitoring chatter on these sites can provide an early-warning indicator that a supply chain partner has or will be targeted.
  • Security communities, code repositories, vulnerability databases, and historical data breach notifications to regularly check vendor security hygiene.
  • Reputational inputs that open vendors to potential compromise, including adverse media coverage, inclusion on global sanctions lists, or ownership by a state-owned enterprise.

By monitoring these intelligence sources, you gain current visibility into whether a potential supplier has been, or could be, exploited. As a result, your supplier risk assessments become less static and more dynamic.

However, beware of building a risk monitoring program that is overly complex and expensive. With hundreds of potential sources of cybersecurity and reputational intelligence to choose from, it’s easy to quickly become overwhelmed with uncorrelated data from disparate, separately licensed sources.

Look for platforms that centralize inputs from multiple intelligence sources, use the findings to validate assessment results, and provide meaningful reports on which vendors present the most significant risk exposure.

Navigating the Vendor Risk Lifecycle: Keys to Success

This complimentary guide details best practices for successfully managing risk throughout the vendor lifecycle. See what we've learned in our 15+ years of experience working with hundreds of customers.

Read Now
Feature navigating vendor risk lifecycle

2. Identify Your 4th Party Vendors to Reveal Potential Supply Chain Risks

The further upstream you go in your supply chain, the less visibility you have. This can present problems when your organization is faced with the prospect of ransomware attacks and security breaches. Gaining visibility into your extended vendor ecosystem can reveal relationships where your data is handled, but this information can be time-consuming to gather and quickly outdated.

To overcome this challenge, use a third-party assessment platform to build comprehensive vendor profiles that include key vendor information such as location, fourth parties, and deployed technologies – complemented with information from external supplier perimeter scanning. The outcome will be a relationship map that easily identifies technology concentration risk, so you’ll be better prepared when the next SolarWinds happens.

3. Automate Incident Response to Accelerate Risk Mitigation

When a large-scale software supply chain breach occurs, the natural first question to ask is, “Are we impacted?” followed quickly by, “Are our third parties impacted?” We saw this scenario play out several times in 2021 with breaches such as SolarWinds and Kaseya. Having comprehensive vendor profiles, as described in best practice above, will put you in a great position to quickly answer that question.

However, when it comes time to determine a vendor’s exposure and mitigation plans, many organizations are left flat-footed – using spreadsheets to assess and triage risks across potentially hundreds of supply chain partners.

Here are a few steps for taking a smarter, faster approach to incident response:

  • Manage all your vendors centrally – not just your high-tier ones. Software supply chain risks can be widespread and extend far beyond those vendors you consider most critical.
  • Issue and track incident-specific assessments with remediation recommendations to accelerate risk mitigation. Assessments should include questions on business continuity in case of failure, backups, recovery plans, and more.
  • Enable third parties to proactively report incidents using a standardized event reporting assessment that automatically scores and escalates risks for appropriate triage and reporting.
  • Use workflow rules to trigger automated actions that enable you to act on risks according to their potential impact to the business.
  • Analyze assessment results centrally to coordinate remediation efforts with partners and report on progress to management.

Next Steps for Better Software Supply Chain Security

Taking a manual, reactive approach to third-party software vulnerability detection and incident response will only increase your likelihood of a business disruption. Instead, implement the three best practices in this post to be better prepared for your next supply chain security challenge.

For more on how Prevalent can help reduce supply chain risk at every stage of the vendor lifecycle, read our white paper Navigating the Vendor Risk Lifecycle, or request a demo for a strategy session today.

Leadership scott lang
Scott Lang
VP, Product Marketing
Scott Lang has 25 years of experience in security, currently guiding the product marketing strategy for Prevalent’s third-party risk management solutions where he is responsible for product content, launches, messaging and enablement. Prior to joining Prevalent, Scott was senior director of product marketing at privileged access management leader BeyondTrust, and before that director of security solution marketing at Dell, formerly Quest Software. He can be reached on Twitter @scottinohio, LinkedIn and Facebook.
  • Ready to get started?
  • Schedule a personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo