When you purchase a car, you expect it to have undergone extensive crash safety testing to ensure its reliability. Similarly, when taking a new prescription drug, you rely on the rigorous testing it has undergone to ensure it’s safe for your health. These measures provide peace of mind, knowing that these products are safe to use.
So, why do so many companies buy software and hardware without thoroughly evaluating the cybersecurity risks in procurement? In today’s world, where cyber threats are more frequent and sophisticated, blindly trusting the security of software is not only risky but also increasingly unacceptable. As businesses rely heavily on technology to drive operations, evaluating cybersecurity risks in procurement is more critical than ever.
Why Should Software Security Be Part of the Procurement Process?
In modern businesses, software is at the heart of everything. It powers critical operations, automates back-office tasks, connects companies with customers, and enables business growth. Companies rely on a vast array of software—from third-party and open-source platforms to in-house developments, operating systems, applications, and device firmware. However, this reliance on software brings hidden dangers. Many organizations assume that the software they purchase is secure, but recent high-profile breaches show that software, regardless of its source, poses cybersecurity risks.
Despite these risks, many procurement processes lack proper mechanisms to evaluate the cybersecurity risks in procurement of the software being considered. For instance, NetRise’s software analyses reveal up to a 300% difference in risk levels between similar software asset classes from different vendors. This means that some products, which may seem similar on the surface, can present significantly different cybersecurity risks.
The importance of evaluating cybersecurity in procurement is not new. Since 2018, awareness has grown that purchasing departments must assess software security alongside other factors like quality and performance. The question is no longer whether to include cybersecurity in procurement processes, but why it’s more crucial now than ever.
Why Now?
Cyberattacks targeting supply chains are on the rise. Consider these alarming statistics:
- According to Capterra’s 2023 Software Supply Chain Survey, 61% of companies reported being impacted by a software supply chain cyberattack in the preceding 12 months.
- These attacks are becoming global challenges, with software supply chain threats growing both in scope and frequency. Yet, proactive efforts to mitigate these risks remain scarce. Sonatype’s ninth annual State of the Software Supply Chain report shows that only 7% of companies review the security risks in their supply chains.
Given the growing threats, the procurement process is where risk evaluations should begin. Incorporating cybersecurity risk assessments into purchasing decisions is no longer optional—it’s a necessity for safeguarding operations.
Is Security Already Part of the Procurement Process?
Many assume that security is already embedded in enterprise procurement processes, and to some extent, it is. Organizations often include general supply chain security measures as part of their procurement practices. These measures might involve:
- Vendor questionnaires and assessments
- Reviews of a vendor’s security policies and practices
- Audits of third-party certifications, such as ISO 27001
- Contractual security requirements
- Supplier performance management
While these steps are important, they primarily rely on self-reporting by vendors. Unlike industries where independent agencies such as the National Highway Traffic Safety Administration (NHTSA) or the Food and Drug Administration (FDA) conduct safety testing, businesses often depend on software vendors to self-assess and report their cybersecurity status. This leaves a critical gap—one that needs to be addressed by adopting a “trust but verify” approach.
Trust, But Verify: Analyzing Vulnerabilities in Procurement
To truly address cybersecurity risks in procurement, companies need to move beyond relying on vendor-reported information and directly analyze the software they are considering purchasing. Many organizations don’t realize this is possible, but it is—and it can be done efficiently. Direct software analysis provides complete visibility into potential vulnerabilities and risks before purchase, allowing businesses to make informed decisions.
The “trust but verify” approach is essential because blindly trusting software security can lead to disastrous consequences, from data breaches to operational disruptions. Comprehensive visibility into software components and dependencies is necessary for safeguarding the supply chain. This level of analysis should be integrated into every procurement process.
Steps to Incorporate Software Analysis into Procurement
To manage cybersecurity risks in procurement, organizations must prioritize integrating software analysis into their purchasing workflows. Here are steps companies can take to strengthen their procurement process:
- Generate Comprehensive SBOMs
Creating a detailed Software Bill of Materials (SBOM) is the foundation of securing the software supply chain. An SBOM provides an inventory of all software components, including third-party libraries and dependencies, which are essential for identifying and managing cybersecurity risks. For example, NetRise’s analysis of networking equipment revealed that each device contained an average of 1,267 software components—highlighting the complexity of today’s software products.
- Implement Automated Risk Analysis
Automated risk analysis helps organizations gain a complete understanding of potential software risks. By using detailed software risk analysis tools, companies can assess the vulnerability of software or firmware packages before purchasing. In NetRise’s study, an average networking device contained 1,120 known vulnerabilities in its software components, underscoring the importance of proactive analysis.
- Prioritize and Compare Software Risks
Once a company has a full view of potential risks, it should prioritize vulnerabilities based on factors such as exploitability and network accessibility. Simply relying on Common Vulnerability Scoring System (CVSS) scores may not provide the full picture. In the NetRise study, only 20 weaponized vulnerabilities were found per networking device, but a more in-depth analysis revealed that only seven of these were both weaponized and network accessible—highlighting the need for a more nuanced approach.
- Responsible Vulnerability and Risk Disclosure
Once software analysis is integrated into procurement processes, companies should establish procedures for responsible disclosure of any identified vulnerabilities. This information should be shared confidentially with the software vendor to encourage collaboration and remediation. Responsible disclosure helps build a more secure software ecosystem and ensures that risks are addressed before they can be exploited.
By following these steps, organizations can significantly reduce cybersecurity risks in procurement and ensure that their software purchases are secure and reliable.
Conclusion
In today’s cyber threat landscape, trusting that the software you purchase is secure is no longer enough. The risks posed by software supply chain attacks are too high, and the consequences of a breach too severe to ignore. By integrating software analysis into procurement processes, organizations can make informed, secure decisions about the software and hardware they buy.
Ensuring comprehensive software visibility, leveraging automated risk analysis, and practicing responsible risk disclosure are not just best practices—they are essential for protecting your company’s digital assets. Moving from trust to verification is key to building a resilient cybersecurity posture.
Now is the time to act. By integrating software analysis into your procurement process, you can take control of your software supply chain security and protect your organization from the growing threat of software supply chain attacks. Adopting these measures ensures that your company stays ahead of cybersecurity risks and secures its operations in an increasingly vulnerable digital world.