Application security is, as any practitioner will tell you, a hard technical and business problem unlike any other. The best advice for successfully securing software is usually to avoid thinking about it like any other problem — software security testers are not like quality assurance professionals, and many security failures arise when developers think conventionally about use cases rather than abuse cases. But just because application security is a distinct problem does not mean that we should fail to learn from other fields, when applicable. And one of the opportunities for learning is in what appears at first glance to be a doubly difficult problem: securing the software supply chain.

Why is software supply chain security needed? The majority of businesses are not building every application they use, they are turning to third parties like outsourced and commercial software vendors. According to IDG, over 62% of an enterprises’ software portfolio was developed outside the enterprise.

Over 62% of an enterprises’ software portfolio is developed outside the enterprise.


How should these enterprises be thinking about security? Software supply chain security efforts have all the challenges of conventional app sec initiatives, combined with the contractual, legal, and organizational issues of motivating change across organizational boundaries. But the consequences of ignoring supply chain issues in an application security program are momentous. Most applications are composed of first party code surrounding libraries and other code sourced from third parties — both commercial libraries and open source projects. Purchased applications deployed on the internet or the internal network may access sensitive customer or corporate data and must be evaluated and secured just like first party code, lest a thief steal data through an unlocked virtual door. And increasingly standards like PCI are holding enterprises responsible for driving security requirements into their suppliers. So what are we to do? Fortunately, software security is not the only large, complex initiative that has implications on the supply chain. Software supply chain security initiatives can take inspiration from other supply chain transformation initiatives, including the rollout of RFID in the early 2000s by Walmart and others, and — particularly — the rise of “green” supply chain efforts.

In fact, software security bears close similarity to “green” efforts to reduce CO2 emissions and waste in the supply chain. Both “green” and security have significant societal benefits, but have historically been avoided in favor of projects more directly connected to revenue. Both have recently seen turns where customers have started to demand a higher standard of performance from companies. And both require coordination of efforts across the supply chain to be successful.

This series of blog posts will explore some simple principles for supply chain transformation that can be derived from efforts to implant “green” or to drive RFID adoption. The basic building blocks stem from research done into green efforts by the Wharton School of Business and published in 2012, and are supplemented with learnings from RFID. We’ll cover seven principles of supply chain transformation and show you how to apply them to your software supply chain initiative:

The Seven Habits of Highly Effective Third-Party Software Security Programs

  1. Choose the right suppliers
  2. Put your efforts where they do the most good
  3. Use suppliers as force multipliers
  4. Collaborate to innovate
  5. The elephant in the room is compliance
  6. Drive compliance via “WIIFM”
  7. Align benefits for enterprise and supplier - or pay

I hope you enjoy the series and look forward to the discussion!

Tim Jarrett is Senior Director of Product Marketing at Veracode. A Grammy-award winning product professional, he joined Veracode in 2008 and has a Bacon number of 3. He can be found on Twitter as @tojarrett.



contact menu