Software supply chain security has arrived with Google’s Vendor Security Assessment Questionnaire (VSAQ)! Or has it? The web-based application released under an open-source license on GitHub contains the actual questionnaire Google uses to review its own software vendors' security practices before making a purchase.
I know what you’re thinking: “if it’s good enough for Google, it’s good enough for me!”
Let me count the ways this is just not true …. three. While a good first step in tackling software supply chain security, it is simply a starting point. You can and should do more if you are purchasing a software product.
First, VSAQ asks for information on a software vendor and the vendor’s development process, but only lightly touches on the actual software being purchased. This is concerning because, while a company could aspire to best practices on its web application development process, this does not guarantee that these practices were followed.
Second, a form-assessment such as VSAQ relies on self-attestation: that the vendor is entirely truthful and speaking to the development process of the particular software you want to buy, not just of the ideal process it "tries" to follow.
If you’re a company looking to purchase software, or software as a service, you should ask your vendor to show you the paperwork created during application security testing (static, dynamic, composition, etc.) that shows proof-positive the risk of that particular application. If your vendor can’t do this, ask it to let you test its software. Either way, get the proof you need, not speculation.
Finally, as software is assembled from existing components found in libraries such as GitHub, you should require a "bill of materials" from the software vendor so that if future vulnerabilities are found in those components leveraged by its product, you are aware of the risk as soon as possible.
Form-assessments such as VSAQ, or the SIG or AUP offered from Shared Assessments, are a good place to start. However, to really reduce software supply chain security risk, the software itself must be tested – an approach advocated by the financial services consortium FS-ISAC, in its whitepaper on this subject.
We can help. Our VAST program is designed specifically for this purpose.