Secure-by-design and secure-by-default principles, use of memory-safe programming languages where possible, and secure programming practices are used as part of application development.
Communicate security requirements to third-party providers of commercial software components to ensure they meet the organization's standards. Include these requirements in contracts, establish clear selection criteria, require attestations and provenance data, and define processes for handling exceptions. This approach mitigates risks associated with integrating third-party components into secure software environments.
Strengthen supplier relationships by clearly defining and discussing security responsibilities and expectations as part of the contracting process. Specify quality requirements, such as compliance with security standards like OWASP Top 10, and assign tasks, such as conducting continuous static code analysis or independent penetration testing prior to major releases. Formalize these responsibilities in Service Level Agreements (SLAs) that include liability provisions, remediation timelines, and caps for addressing security issues. Standardize agreements with suppliers over time to streamline negotiations and ensure critical security considerations are not overlooked. While standardized agreements provide a baseline, allow for flexibility to adapt to specific supplier capabilities and project needs. This approach mitigates risks associated with third-party software components, ensuring alignment with organizational security standards and reducing vulnerabilities in the supply chain.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-01-03-01-01 | Define security responsibilities for suppliers | Identify and document security responsibilities for suppliers, such as quality requirements (e.g., compliance with OWASP Top 10) and specific tasks (e.g., static code analysis, penetration tests). | Preparation | Procurement team, Security team, Legal team |
| SSS-02-01-03-01-02 | Draft and establish supplier agreements | Develop a Service Level Agreement (SLA) or contract that outlines supplier responsibilities, tasks, quality requirements, liabilities, and penalties for non-compliance. | Preparation | Procurement team, Legal team, Security team |
| SSS-02-01-03-01-03 | Communicate responsibilities and expectations | Conduct discussions with suppliers to clarify security expectations, responsibilities, and deliverables. Ensure mutual understanding and agreement. | Development | Procurement team, Supplier representatives |
| SSS-02-01-03-01-04 | Standardize supplier agreements | Create a template for supplier agreements to streamline negotiations while allowing for case-specific adjustments. Regularly review and update this template as needed. | Development | Legal team, Procurement team, Security team |
| SSS-02-01-03-01-05 | Monitor supplier compliance | Set up processes to verify supplier compliance with agreed security responsibilities, such as regular audits, progress reports, or integration with your development workflows. | Post-deployment | Security team, Procurement team |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-0401) NIST Secure Software Development Framework (PO.1.3) OWASP SAMM: Software Assurance Maturity Model (D-SR-2-B) |