Evaluating Embedded Vulnerabilities and Cybersecurity Risks in Procurement
When you buy a car, would you trust it if it hadn’t been extensively crash tested? Of course not. The safety and reliability of the vehicle is paramount, and knowing that it has been thoroughly tested gives you peace of mind.
Would you take a new prescription drug in the same way that hasn’t gone through the FDA’s rigorous safety and effectiveness testing? Absolutely not! We rely on these safety measures to protect our health and well-being.
Why do so many companies purchase software and hardware without thoroughly evaluating the cybersecurity risks associated with these products? In today’s world, where cyber threats are becoming more frequent and sophisticated, this blind trust in software security is not only risky, it is unacceptable.
Why should software security analysis be part of the corporate procurement and tendering process?
In the modern enterprise, software is the backbone of every business. It powers business processes, connects companies to customers and partners, automates back-office tasks, and even builds market position. Today’s world is built on software – third-party software, open-source software, internally developed software, operating system software, applications, containers, and device firmware, to name a few.
However, this reliance on software comes with hidden dangers. Many companies assume that the software they purchase is inherently safe. Unfortunately, recent high-profile breaches in the software supply chain have proven otherwise. The reality is that every piece of software, no matter how trusted the source, carries risks.
Despite this, current software procurement processes rarely include quantifiable methods to evaluate the cybersecurity risk of the products under consideration. According to NetRise software analytics, there can be up to a 300% difference in software risk levels between similar software asset classes from different vendors. This means that some products can be significantly more secure than others, even if they appear similar at first glance.
The recognition that cybersecurity should be a key consideration in purchasing decisions is not new. Since at least 2018, there has been a growing awareness that procurement departments must evaluate the cybersecurity of a vendor’s software alongside traditional factors such as quality and delivery performance. The question is no longer whether cybersecurity should be included in procurement processes, but why now more than ever.
Why now?
Cyberattacks on supply chain security are on the rise. Consider these alarming statistics:
According to Capterra’s “2023 Software Supply Chain Survey,” 61% of companies suffered a software supply chain cyberattack in the 12 months prior to the survey.
Software supply chain attacks have become a global challenge, dramatically increasing in scale and frequency. Yet proactive efforts to mitigate these risks remain rare: Only 7% of respondents to Sonatype’s ninth annual State of the Software Supply Chain report have made an effort to assess security risks in their supply chains.
Clearly, these evaluations must begin with the company’s purchasing and tendering process.
But isn’t security already part of a company’s purchasing process?
One might assume that security is already baked into the enterprise procurement process. To some extent, this is true. Many organizations include supply chain security measures as part of their procurement practices. However, these measures typically do not include direct testing or evaluation of the cybersecurity risks of the software products being considered.
So, what does a typical enterprise procurement process include? According to the Cybersecurity and Infrastructure Security Agency (CISA), standard practices often include:
- Supplier Questionnaires and Evaluations
- Assessments of the vendor’s security policies and practices
- Third party certification audits (e.g. ISO 27001)
- Contractual security requirements
- Supplier Performance Management
These steps are important, but they rely heavily on vendor self-reporting. While we trust third-party organizations like the National Highway Traffic Safety Administration (NHTSA) and the Food and Drug Administration (FDA) to conduct independent safety testing for cars and drugs, we often rely on software vendors to self-report their cybersecurity posture. This is a critical gap in the process, and this is where the principle of “trust but verify” must come into play.
Trust, but verify: Know the exact vulnerability and risk status of the software you buy
Companies need to take a proactive approach by immediately analyzing the business software they intend to purchase as part of their purchasing process.
However, many organizations don’t realize that this is even possible. But it is possible. And it can be done in minutes! Some may find it hard to believe when they first encounter the idea. But it is possible, and it can be done efficiently and effectively.
This is where “trust but verify” comes in. Blind faith in software can have devastating consequences, from data breaches to operational disruptions. Comprehensive visibility into all software components and dependencies is not just advisable; it’s necessary. And this level of visibility can be seamlessly integrated into any enterprise procurement and purchasing process.
Steps to Integrate Software Analytics into Purchasing
To address these challenges, organizations must prioritize integrating software analytics into their procurement workflows. The NetRise study findings emphasize the critical importance of a detailed understanding of all software components and risks. Here are some basic steps companies should consider:
Generate extended SBOMs:Creating detailed Software Bills of Materials (SBOMs) is the foundation for effective supply chain security. SBOMs provide a clear inventory of all software components, including libraries and third-party dependencies. This inventory is essential for effectively identifying and managing risk. In a recent Netrise study, we generated detailed SBOMs for 100 tested network equipment devices and found that each device contained an average of 1,267 software components.
Implement automated software risk analysis: Using detailed software risk assessment methods, companies can uncover a complete risk picture of any software or firmware package, allowing for a thorough risk assessment. In the NetRise study, we found that the average network equipment device has 1,120 known vulnerabilities in its underlying software components.
Prioritize and compare software risks: Once comprehensive visibility is achieved, organizations should prioritize vulnerabilities based on factors beyond CVSS scores, such as weaponization and network accessibility. This approach ensures that the most critical threats are identified. Using this prioritized list of critical threats, teams can compare and contrast the risk posture of different software products under consideration. For example, in the NetRise study, we found that on average there were only 20 weaponized vulnerabilities per network device, and upon closer inspection, only 7 weaponized vulnerabilities are also network accessible.
Responsible Vulnerability and Risk Disclosure: Once implemented into procurement and tender processes, companies should establish processes for the responsible disclosure of vulnerability and risk assessment information to the software vendors under consideration. This information should be considered confidential and not shared outside the organization.
By focusing on these steps, organizations can significantly improve the cybersecurity of their supply chain security processes and software and/or hardware purchases.
Conclusion
In today’s rapidly changing cyber threat landscape, it’s no longer enough to simply trust that the software you purchase is secure. The risks are too great and the consequences of a breach are too severe. By incorporating software analytics into the procurement process, organizations can ensure they are making informed, secure choices when purchasing new software and hardware.
Comprehensive software visibility, automated risk analysis, and responsible risk disclosure are not only best practices, but essential steps for any organization looking to protect its digital assets. It’s time to move beyond trust. It’s time to verify. By implementing these practices, organizations can build a robust foundation for their cybersecurity efforts and protect their operations from the growing wave of software supply chain attacks.
Now is the time to take action. Integrate software analytics into your procurement process today and take control of the security of your software supply chain.
We offer the best patch management software.
This article was produced as part of TechRadarPro’s Expert Insights channel, where we showcase the best and brightest minds in the technology sector today. The views expressed here are those of the author and do not necessarily represent those of TechRadarPro or Future plc. If you’re interested in contributing, you can read more here: