The C-word - compliance - is one that has a mixed reception in application security circles. While some observers, like Verizon, say that there’s a correlation between compliance efforts like PCI and reduced likelihood of breach, others see compliance efforts as not doing enough to move the needle on application security. But the fact remains that if you’re trying to run a supply chain transformation effort, you need a clearly defined rules for what constitutes the standards for compliance — and what are the consequences if they’re not met.
There are examples of setting clear standards for a supply chain in a number of different models of supply chain transformation. In this blog series, we’ve been looking at “green” supply chain efforts — trying to drive ecological responsibility across a network of suppliers — as an analogue to trying to drive software security requirements into the supply chain. The challenges are both technical and sociopolitical, and may vary by geography. For instance, Charles Howland, senior assistant regional counsel for the Environmental Protection Agency, has said, "The only way that you can ensure that your supplier is green, by whatever standards you set, is your own people in the field doing enforcement the way the government here does under U.S. laws.” (quoted in the Wharton article “Managing Green Supply Chains”).
In the appsec world, there are few public examples of how enterprises manage the security of their supply chains. One exception is Boeing, where program manager John Martin has spoken about how they have set clear compliance policies and consequences for their suppliers. The supplier is held to the same standards as internal developers, and a finding of “red” status for that supplier gets communicated to that supplier’s business owner VP and elevated into the contractual discussion. The standards are communicated during the RFI/RFP process, so that suppliers have a clear signal of Boeing’s expectations. (The webinar “How We Secure 300 Third-Party Applications” provides more details about Boeing’s approach to securing its supply chain.)
One advantage that enterprises who use Veracode to secure their supply chains get to establish a clear compliance standard is Veracode’s in-built policy management system, that allows for clear and unambiguous security policies to be established that define risk tolerance in terms of flaw type and severity, testing type and frequency, and time to fix, and that can be applied to both internally and externally developed code. However, an enterprise still must clearly communicate the consequences of noncompliance, and enforce them, for a supply chain transformation effort to succeed.