When you think about securing your software supply chain, don’t reinvent the wheel: you can learn a lot from initiative like the “green” supply chain.
When undertaking something as momentous as driving a new buying criterion into the purchase of software, enterprises would be advised to start practically, by choosing suppliers who are already building and selling secure software and need not be hectored into it. “Choose the right suppliers” has, nevertheless, the same sort of oxymoronic ring as “test the most insecure applications.” How do you know which suppliers are the right—i.e. secure—ones?
However, this advice is ultimately more practical than it sounds. Ensuring that suppliers chosen adhere to a new supply chain requirement depends upon two things: a capability to measure and enforce the supplier’s adherence to the requirement, and a clearly defined standard or certification that the supplier can use to advertise their capabilities on the issues.
Measuring and enforcing supplier compliance with the “green” standard has been carried out in multiple ways. Massive suppliers like Walmart may well be able to enforce new initiatives at the peril of the inability of the supplier to do business with Walmart. The Wharton article “Managing Green Supply Chains” talks about a Walmart supplier’s conference in China at which the law was laid down: “the (supplier) CEOs were told that half of them would be getting more business from Walmart and the other half would no longer be doing any business at all with the retail giant. Walmart’s new environmental rules were then handed out and the CEOs were told to make sure they figured out how to end up in the winning half.”
On the other end of the spectrum is a collaborative effort with suppliers where there is a joint effort to identify the right ways to measure and describe compliance.
Establishing industry standards in transformation efforts is a follow-on to the stage of market evolution in which suppliers are working to “figure it out.” For all their weaknesses, standards can have a way of removing tremendous costs from supply chain transformation initiatives by defining clearly what counts as “compliant” and giving suppliers the ability to proactively advertise their compliance, rather than having to negotiate with each customer to establish what compliance means.
In “green” this can take a variety of different forms. For instance, when International Paper chooses suppliers that meet its goal to provide wood fiber from sustainable sources, they accept certifications from multiple bodies, stating, “The key is to work with the certification agencies rather than starting to get into arguments about differentiating very subtle differences between the approaches of the different certification bodies.”
It is harder to establish a standard signal of compliance in the application security world. Initiatives like “hacker proof” statements and seals based on limited testing draw scorn from security practitioners. At some point, though, there must be some balance struck between perfect, contextual security and adoption of a sufficiently strong standard, lest the perfect be the enemy of the good. In this light, the recent FS-ISAC working paper that establishes a combination of vBSIMM or equivalent maturity model, software composition analysis, and binary static analysis as the required controls for third party software security is a welcome sign of market maturity and a big step toward making it possible for an enterprise to choose secure suppliers.