CISA’s Secure by Demand guidance provides a list of questions that enterprise software buyers should ask software producers to evaluate their security practices prior to, during and after procurement. It’s a good idea in principle as every organization needs to be asking the questions presented in “Secure by Demand Guide: How Software Customers Can Drive a Secure Technology Ecosystem.”
The question lies in how you get answers. Questionnaires and SBOMs provide certain information, but don’t provide enough to be able to truly assess the risk of the product that you're buying. Enterprise buyers need direct, verifiable evidence of software security. Here's why you need to trust, but verify.
[ Read: Secure by Demand: Key takeaways | See Special Report: How to Manage Commercial Software Risk ]
Secure by Demand: Key Subject Areas
The questions CISA suggests software vendors answer fall into six subject areas:
- General questions: Has the vendor taken CISA’s Secure by Design pledge, and how do they manage security patches for their customers?
- Authentication: How does the vendor support secure authentication such as single sign-on (SSO), MFA, passkeys, and password management?
- Eliminating vulnerability classes: Does the vendor systematically address software vulnerabilities across its products, and does it have a roadmap to fix known security defects?
- Evidence of intrusions: Does the vendor, namely cloud service and SaaS providers, provide security logs to their customers to provide evidence of possible intrusions?
- Software supply chain security: How does the vendor maintain and share provenance data of third-party dependencies (e.g. software bills of materials, or SBOMs) and have processes to govern its use of, and contributions to, open source software components?
- Vulnerability disclosure: Does the vendor have a vulnerability disclosure program (VDP) to demonstrate transparency and timeliness in vulnerability reporting for both on-premises and cloud products?
Secure by Demand: A Good First Step — But Certainly Not the Last
CISA’s guidance is a good starting point for organizations who want to build a process for ensuring the software they procure from vendors is safe. However, they shouldn’t stop there as, relying solely on questionnaires and SBOMs leaves gaps in your third-party cyber-risk management (TCPRM) — or what the industry often refers to as third-party software risk management. The challenge is that questionnaires can be incomplete or misleading. While SBOMs identify components, they are ultimately just a list of ingredients in the vendor’s software that offer little in the way of actionable insights into the security of that software.
This latest CISA guidance also emphasizes open-source vulnerabilities. While that is important, software supply chain security risks from proprietary, commercial, open source, and build artifacts like malware, tampering, suspicious behaviors, exposed secrets, and more. These types of risks have resulted in serious software supply chain attacks, such as those on SolarWinds in 2020 and 3CX in 2023.
Consider the conclusion made by the 2024 Verizon Data Breach Investigations Report (DBIR), stating that breaches stemming from third-party software development organizations increased by 68% from 2023. Yet despite this, current third-party risk management (TPRM) methods have failed to bring transparency to third-party software specifically.
It's Time to Trust, But Verify
Cybersecurity and risk professionals focused on third-party software risk need a control that provides verifiable evidence that the software they purchase is safe. But how do you ensure the accuracy of an SBOM or calculate the risk of threats from software you’re purchasing? You need to independently validate the security of that software.
The Spectra Assure™ does exactly that. Spectra Assure uses complex binary analysis to provide comprehensive, independent software analysis that go beyond the limited assurances that questionnaires and SBOMs offer. These insights are synthesized into a Spectra Assure SAFE Report, which includes a comprehensive SBOM along with a digestible, and actionable software risk assessment.
With Spectra Assure, you can independently test and verify that software is free from malware, tampering, suspicious behaviors, vulnerabilities, and more — before, during or after deployment. The SAFE report can be securely and privately shared with your software vendors to address any new or lingering security issues.
Spectra Assure puts the power of validation into the hands of enterprise software buyers, where it belongs. If you’re not doing your own validation, you’re relying on blind trust that vendor questionnaires and SBOMs have you covered. That’s a risk most enterprises shouldn’t have to take.
Take the Spectra Assure Virtual Tour to see how ReversingLabs delivers concrete, verifiable security assurances that exceed CISA's suggestions.
Explore RL's Spectra suite: Spectra Assure for software supply chain security, Spectra Detect for scalable file analysis, Spectra Analyze for malware analysis and threat hunting, and Spectra Intelligence for reputation data and intelligence.