When doing anything challenging whether it’s a diet or writing a book, the hardest part can be figuring out where to start. Addressing software supply chain security is no different.
The typical organization has 390 business critical applications that are supplied by third parties, to say nothing of the multitudes of marketing web sites, operational sites, partner sites, off-the-shelf customer data management software, and others that represent its overall third-party-developed software footprint. It’s all too tempting to either lay down a blanket rule across all suppliers with no practical plan to implement, or to give up and turn a blind eye to supplier-provided vulnerabilities.
Giving up is not recommended, given that there are proven alternatives like CA Veracode’s vendor application security testing program that have been successful for Boeing and Thomson Reuters, among others. But it’s also important to not fall into implementation paralysis by reaching too broadly. Or, in other words, don’t boil the ocean!
Other supply chain transformation efforts suggest several ways to go after the problem. These include the 80/20 rule and low-hanging fruit. (These examples are drawn from the excellent Wharton article “Managing Green Supply Chains.”) To these best practices, CA Veracode would add the “go-forward” rule.
The 80/20 rule: Wal-Mart’s energy-saving supply chain initiative began with its top 200 suppliers in China, who represented (in 2008) constituted 60% to 80% of its total supply chain. By analogy, an enterprise could identify top software suppliers based on number of applications, or amount of data under management, and concentrate its initial supply chain efforts there.
Low-hanging fruit: The National Resources Defense Council (NRDC) recommends instead gathering easy wins to create momentum. In the software supply chain, this means addressing suppliers who may already supply attestations either publicly or to other customers, and documenting the process to create a “quick win” that can be reused as a case study.
Go-Forward: A software-supply-chain specific variation on the “low hanging fruit” strategy is to implement the new practices on suppliers as they enter or renew their presence in the supply chain via purchase or renewal of services. This is the part in the vendor relationship where the enterprise has natural negotiating power and is a good place to address new supply chain requirements if the enterprise lacks the market power to impose them on settled suppliers.
There are a variety of approaches that can be used to rapidly transform part of a supply chain, and an enterprise can choose among them based on the structure of their supplier base and their market power. Once the supply chain approach is chosen, attention turns to working with the supplier themselves. I’ll discuss some ways to do that in the next post.