This week, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) took a major step forward as it continues to define federal software supply chain security policy. “Secure by Demand Guide: How Software Customers Can Drive a Secure Technology Ecosystem” serves as the official counterpart to the CISA’s landmark Secure by Design guidance (PDF), released in April 2023.
Secure by Design was one of the first federal initiatives aiming to shift the burden of software supply chain attacks away from the end user and onto those who create, ship, and maintain software products. Subsequently, CISA’s release of the Secure by Design Pledge just a few months ago further encouraged software producers to take steps to ensure they are following secure software development and maintaining practices.
But what was missing from Secure by Design’s message was a key piece of software supply chain security: the enterprise buyer. Commercial software risk remains one of the most under-addressed cybersecurity risks facing enterprises today. That's why security and risk leaders are inclined to check the security measures of the software products their enterprises are consuming. Secure by Demand embodies this sentiment.
Here are the key components of Secure by Demand, why they matter for enterprise buyers and software producers alike — and how enterprises can go beyond what CISA outlines.
[ Get White Paper: How to Assess & Manage Commercial Software Risk ]
How to hold software producers accountable
Secure by Demand aims to empower enterprise buyers with a set of checks that can be demanded of a software producer before, during, and after procurement. These checks speak not only to enterprise security, but also to product security, which CISA believes has been more of an afterthought when it comes to procurement compliance:
“There are many compliance standards that organizations use during procurement that focus on enterprise security; conversely, relatively few focus on product security. This guide bridges that gap by offering resources organizations can leverage to assess product security maturity and whether a manufacturer follows secure by design principles.”
Secure by Demand’s checks are presented as a list of questions that enterprise buyers can ask the software producer they wish to work with, including:
- Have they taken CISA’s Secure by Design Pledge?
- Do they make it simple for customers to install security patches?
- Does the product support secure authentication (SSO, MFA, passkeys, and the elimination of default passwords)?
- Is the software producer systematically addressing entire classes of vulnerabilities?
- Are they able to provide security logs in the baseline version of their product?
- Do they generate a software bill of materials (SBOM) and vet the security of open-source software components?
- Are they transparent and timely in vulnerability reporting?
These checks serve as an important start in ensuring that software supply chain security is upheld from all ends of the software supply chain. By holding software producers accountable for these Secure by Design principles, enterprise buyers now hold the power in the software market to sway more companies to prioritize these secure software practices. This will also greatly benefit the enterprise buyer, because the risks posed to their company by commercial software use will be minimized.
Software supply chain security doesn’t stop with guidance
CISA’s release of Secure by Demand is just the beginning of a shake-up in software supply chain security. Charlie Jones, director of product management for software supply chain security at ReversingLabs, emphasized that accountability for software supply chain risk will only grow for both software producers and enterprise buyers.
"For enterprise buyers of software, visibility into their supply chain is no longer optional. Emerging regulation demands that organization's demonstrate control over business-critical software, regardless of whether it was built or bought."
–Charlie Jones
This increasing accountability for software supply chain security is warranted, given that the threat posed by commercial software use is only increasing. It was found in the 2024 Verizon Data Breach Investigations Report (DBIR) that breaches stemming from third-party software development organizations played a role in 15% of the more than 10,000 data breaches Verizon documented – a 68% jump from the 2023 DBIR. This uptick prompted Verizon’s callout for companies to “start looking at ways of making better choices” about which software providers they choose to work with “so as to not reward the weakest links in the chain.”
While Secure by Demand is right to point out the risks associated with vulnerabilities and open-source software components, breaches stemming from commercial software use can be caused by additional threats, such as malware insertion, tampering of the build environment, and secrets exposure. These kinds of threats have led to some of the most detrimental software supply chain attacks, including those on SolarWinds in 2020 and 3CX in 2023.
Minimizing commercial software risk in the long run will require both software producers and enterprise buyers to focus on all kinds of risk — not just some. Learn how to make your software supply chain security efforts as comprehensive as possible with our whitepaper “Assess & Manage Commercial Software Risk.”
