No matter the size or reputation of a prospective software vendor, it’s always a good idea to conduct some form of security vetting. The SolarWinds breach was certainly a reminder of that.
As a starting point, requesting a software bill of materials can help organizations gain visibility into potential vulnerabilities — we highlighted several benefits of consuming SBOMs earlier in this guide. NIST’s publication on the minimum required elements of an SBOM
offers a good baseline as to the type of data that should be included. (However, NIST’s guidance is only mandatory
for organizations selling into the U.S. federal government.)
To make sure your organization gains maximum benefit, it’s particularly important that the SBOM be made available in both human- and machine-readable formats (i.e. SPDX, CycloneDX).
Additionally, it can be helpful to create a checklist or matrix to guide your evaluation of a vendor’s security practices and processes. NIST’s publication on managing cybersecurity risk throughout the supply chain (SP 800-161r1
) includes an extensive list of sample questions (pages 220-227
) that organizations might consider adding to their lists. These include:
Certainly, the responses to questions can only go so far in informing your evaluation. But vetting your security vendors is an important piece of the broader software supply chain security solution.