When you buy a car, would you trust it if it hadn't gone through extensive crash safety testing? Of course not. The safety and reliability of the vehicle is paramount and knowing it has been rigorously tested gives you peace of mind.
Similarly, would you take a new prescription drug that has not gone through rigorous FDA safety and effectiveness testing? Absolutely not! We rely on these safety measures to protect our health and well-being.
Why, then, do so many companies purchase software and hardware without thoroughly assessing the cybersecurity risks associated with these products? In today’s world, where cyber threats are becoming more prevalent and sophisticated, this blind trust in software security is not only risky, but unacceptable.
Why should software security analysis be part of the enterprise purchasing and procurement process?
In the modern enterprise, software is the backbone of every company. It drives business processes, connects companies with customers and partners, automates administrative tasks, and even builds market presence. Today’s world is built on software: third-party software, open source software, in-house developed software, operating system software, applications, containers, and device firmware, to name a few.
However, this reliance on software comes with hidden dangers. Many companies operate under the assumption that the software they purchase is inherently secure. Unfortunately, recent high-profile security breaches in the software supply chain have clearly demonstrated otherwise. The reality is that all software, no matter how reputable its source, poses risks.
Despite this, current software procurement processes rarely include quantifiable methods for assessing the cybersecurity risk of the products under consideration. According to NetRise software analytics, there can be up to a 300% difference in software risk levels between similar software asset classes from different vendors. This means that some products can be significantly more secure than others, even if they appear similar at first glance.
The recognition that cybersecurity should be a key factor in purchasing decisions is not new. Since at least 2018, there has been a growing awareness that purchasing departments should evaluate the cybersecurity of a vendor’s software alongside traditional factors such as quality and delivery performance. The question is no longer whether to include cybersecurity in purchasing processes, but why now more than ever.
Why now?
Supply chain security cyberattacks are on the rise; consider these alarming statistics:
According to Capterra’s 2023 Software Supply Chain Survey, 61% of organizations were affected by a software supply chain cyberattack in the 12 months prior to the survey.
Software supply chain attacks have become a global challenge, with their scope and frequency increasing dramatically. However, proactive efforts to mitigate these risks remain lacking: only 7% of respondents to Sonatype’s ninth annual State of the Software Supply Chain Report have made efforts to review security risks in their supply chains.
It is clear that the company's purchasing and acquisition process is where these assessments should begin.
But isn't security already part of the corporate procurement process?
You might assume that security is already built into a company’s procurement process. To a certain extent, this is true. Many organizations include supply chain security measures as part of their procurement practices. However, these measures typically do not include direct testing or assessment of the cybersecurity risks of the software products being considered.
So what does a company’s typical procurement process include? According to the Cybersecurity and Infrastructure Security Agency (CISA), standard practices typically include:
- Supplier Questionnaires and Evaluations
- Reviews of supplier security policies and practices
- Third-party certification audits (e.g. ISO 27001)
- Contractual security requirements
- Supplier Performance Management
These steps are important, but they rely heavily on information provided by vendors themselves. While we rely on third-party organizations like the National Highway Traffic Safety Administration (NHTSA) and the Food and Drug Administration (FDA) to conduct independent safety testing for cars and drugs, we often rely on software vendors to self-report their cybersecurity status. This is a critical gap in the process and is where the “trust but verify” principle must come into play.
Trust, but verify: Know the exact vulnerability and risk status of the software you purchase
Companies should take a proactive approach by directly analyzing the enterprise software they are considering purchasing as part of their procurement process.
However, many organizations don't know that this is possible. But it is possible and it can be done in minutes! Some people may find it hard to believe when it first occurs to them, but it is possible and it can be done efficiently and effectively.
This is where the idea of “trust but verify” comes into play. Blind trust in software can have devastating consequences, from data breaches to operational disruptions. Full visibility into all software components and dependencies is not only advisable, but necessary. And this level of visibility can be seamlessly integrated into all of the company’s purchasing and procurement processes.
Steps to incorporate software analysis into procurement
To address these challenges, organizations must prioritize integrating software analytics into their procurement workflows. The findings of the NetRise study underscore the critical importance of having a detailed understanding of all software components and risks. Below are some basic steps that companies should consider:
Generate complete SBOMs:Creating detailed software bills of materials (SBOMs) is the foundation of effective supply chain security. SBOMs provide a clear inventory of all software components, including third-party libraries and dependencies. This inventory is essential to effectively identify and manage risks. In a recent Netrise study, we generated detailed SBOMs for 100 tested network equipment devices and found that each device contains 1,267 software components on average.
Implement automated software risk analysis:By using detailed software risk analysis methods, organizations can uncover a complete picture of the risks of each software package or firmware, ensuring a thorough risk assessment. In the NetRise study, we found that the average network device has 1,120 known vulnerabilities in the underlying software components.
Prioritize and compare software risks:Once comprehensive visibility is achieved, organizations should prioritize vulnerabilities based on factors beyond CVSS scores, such as weaponization and network accessibility. This approach ensures that the most critical threats are identified. With this prioritized list of critical threats, teams can compare and contrast the risk status of the different software products considered. For example, in the NetRise study, we found that on average, there are only 20 weaponized vulnerabilities per network device, and if we look more closely, there are only 7 weaponized vulnerabilities that are also accessible from the network.
Responsible disclosure of vulnerabilities and risks:Once implemented in purchasing and acquisition processes, companies should establish processes for responsible disclosure of vulnerability and risk assessment information to the software vendors under consideration. This information should be considered confidential and should not be shared outside the organization.
By focusing on these steps, organizations can significantly improve the cybersecurity of their supply chain security processes and their software and/or hardware purchases.
Conclusion
In today’s rapidly evolving cyber threat landscape, it’s no longer enough to trust that the software you purchase is secure. The risks are too great and the consequences of a breach are too severe. By incorporating software analytics into the procurement process, organizations can ensure they make informed, confident decisions when purchasing new software and hardware.
Comprehensive software visibility, automated risk analysis, and responsible risk disclosure are not just best practices, but essential steps for any organization looking to protect its digital assets. It’s time to go beyond mere trust. It’s time to verify. By adopting these practices, organizations can build a solid foundation for their cybersecurity efforts and protect their operations against the rising tide of software supply chain attacks.
Now is the time to act. Integrate software analytics into your procurement process today and take control of your software supply chain security.
We have the best patch management software.
This article was produced as part of TechRadarPro's Expert Insights channel, where we showcase the brightest and brightest minds in the tech industry today. The views expressed here are those of the author, and not necessarily those of TechRadarPro or Future plc. If you're interested in contributing, find out more here: