Evaluating embedded vulnerabilities and cybersecurity risks in procurement

A screen with a mouse pointer hovering over the word "security".
(Image credit: Pixabay)

When you purchase a car, would you trust it if it hadn't gone through extensive crash safety testing? Of course not. The safety and reliability of the vehicle are paramount and knowing that it has been rigorously tested gives you peace of mind.

Similarly, would you take a new prescription drug that hadn't gone through rigorous FDA safety and effectiveness testing? Absolutely not! We rely on these safety measures to protect our health and well-being.

So why is it that so many enterprises buy software and hardware without thoroughly evaluating the cybersecurity risks associated with these products? In today’s world, where cyber threats are increasing in frequency and sophistication, this blind trust in software security is not just risky—it’s unacceptable.

Tom Pace

Founder, NetRise.

Why Should Software Security Analysis Be Part of the Enterprise Purchasing and Procurement Process?

In the modern enterprise, software is the backbone of every enterprise. It powers business processes, connects companies with customers and partners, automates back-office tasks, and even builds market presence. Today’s world is built on software – 3rd party software, open-source software, in-house developed software, operating system software, applications, containers, and device firmware to name a few.

However, this reliance on software comes with hidden dangers. Many companies operate under the assumption that the software they purchase is inherently secure. Unfortunately, recent high-profile software supply chain breaches have very much proven otherwise. The reality is that every piece of software, no matter how reputable the source, poses risks.

Despite this, current software procurement processes rarely include quantifiable methods to evaluate the cybersecurity risk of the products being considered. According to NetRise software analyses, there can be up to a 300% difference in software risk levels between similar software asset classes from different vendors. This means that some products may be significantly more secure than others, even if they appear similar on the surface.

The recognition that cybersecurity should be a key consideration in purchasing decisions isn’t new. Since at least 2018, there has been growing awareness that purchasing departments should evaluate the cybersecurity of a vendor’s software alongside traditional factors such as quality and delivery performance. The question is no longer whether to include cybersecurity in procurement processes, but why now more than ever.

Why Now?

Supply chain security cyber-attacks are very much on the rise, consider these alarming statistics:

According to Capterra’s “2023 Software Supply Chain Survey,” 61% of companies were impacted by a software supply chain cyber-attack in the 12 months preceding the survey.

Software supply chain attacks have become a global challenge, growing dramatically in scope and frequency. Yet, proactive efforts to mitigate these risks are still rare—only 7% of respondents to Sonatype’s ninth annual State of the Software Supply Chain report have made efforts to review security risks in their supply chains.

Clearly, the enterprise purchasing and procurement process is where these evaluations should begin.

But Isn’t Security Already Part of the Enterprise Procurement Process?

One might assume that security is already baked into the enterprise procurement process. To some extent, this is true. Many organizations do include supply chain security measures as part of their procurement practices. However, these measures typically do not include direct testing or evaluation of the cybersecurity risks of the software products being considered.

So, what does the typical enterprise procurement process include? According to the Cybersecurity and Infrastructure Security Agency (CISA), standard practices often involve:

  • Vendor questionnaires and assessments 
  • Reviews of the vendor's security policies and practices 
  • Audits of third-party certifications (e.g., ISO 27001) 
  • Contractual security requirements 
  • Supplier performance management

These steps are important, but they rely heavily on self-reporting by vendors. While we entrust third-party organizations like the National Highway Traffic Safety Administration (NHTSA) and the Food and Drug Administration (FDA) to conduct independent safety tests for cars and drugs, we often rely on software vendors to self-report their cybersecurity status. This is a critical gap in the process, and it’s where the principle of “trust but verify” must come into play.

Trust, But Verify: Knowing the Exact Vulnerability and Risk State of the Software You Purchase

Enterprises should take a proactive approach by directly analyzing the business software they are considering for purchase as part of their procurement process.

However, many organizations don’t realize this is even possible. But it is possible. And it can be done in minutes! Some may struggle to believe it when they first encounter the idea. But it is possible, and it can be done efficiently and effectively.

This is where “trust but verify” comes in. Blind trust in software can lead to devastating consequences—from data breaches to operational disruptions. Comprehensive visibility into all software components and dependencies is not just advisable; it’s necessary. And this level of visibility can be seamlessly integrated into every enterprise purchasing and procurement process.

Steps to Incorporate Software Analysis in Procurement

To address these challenges, organizations must prioritize integrating software analysis into their procurement workflows. The findings from the NetRise study underscore the critical importance of having a detailed understanding of all software components and risks. Here are some basic steps companies should consider:

Generate Comprehensive SBOMs: Creating detailed Software Bills of Materials (SBOMs) is the foundation of effective supply chain security. SBOMs provide a clear inventory of all software components, including third-party libraries and dependencies. This inventory is essential for identifying and managing risks effectively. In a recent Netrise study, we generated detailed SBOMs for 100 tested networking equipment devices and saw that each device contains 1,267 software components on average.

Implement Automated Software Risk Analysis: Using detailed software risk analysis methods, companies can uncover a complete risk picture of each software or firmware package, ensuring a thorough risk assessment. In the NetRise study, We find that the average network equipment device has 1,120 known vulnerabilities in the underlying software components.

Prioritize and Compare Software Risks: Once comprehensive visibility is achieved, organizations should prioritize vulnerabilities based on factors beyond CVSS scores, such as weaponization and network accessibility. This approach ensures that the most critical threats are identified. Using this prioritized list of critical threats, teams can compare and contrast the risk state of different considered software products. For example, in the NetRise study, we find that there are only 20 weaponized vulnerabilities per networking device on average, and looking closer there are only 7 weaponized vulnerabilities that are also network accessible.

Responsible Vulnerability and Risk Disclosure: Once implemented into purchasing and procurement processes, companies should establish processes for the responsible disclosure of vulnerability and risk assessment information to the considered software vendors. This information should be considered confidential and not shared outside the organization.

By focusing on these steps, organizations can significantly enhance the cybersecurity of their supply chain security processes and software and/or hardware purchases.

Conclusion

In today’s rapidly evolving cyber threat landscape, it’s no longer enough to trust that the software you purchase is secure. The risks are too great, and the consequences of a breach are too severe. By incorporating software analysis into the procurement process, organizations can ensure that they are making informed, secure choices when acquiring new software and hardware.

Comprehensive software visibility, automated risk analysis, and responsible risk disclosure are not just best practices—they are essential steps for any organization looking to protect its digital assets. It’s time to move beyond trust alone. It’s time to verify. By adopting these practices, organizations can build a robust foundation for their cybersecurity efforts and safeguard their operations against the growing wave of software supply chain attacks.

Now is the time to act. Integrate software analysis into your procurement process today and take control of your software supply chain security.

We feature the best patch management software.

This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro

Tom Pace, Founder, NetRise.