Vigilant buyers are the best recipe for accountable suppliers

In today’s digital world, secure software is not just a feature – it’s a requirement. The risk of advanced threats and cyber attacks necessitates buyers holding software suppliers and vendors accountable for security. Failure to do so could lead to increased risks, security breaches, and potential damage to the digital ecosystem.

Understanding the responsibilities of software suppliers is essential. Security should be built in, not added later. This requires a proactive approach to implementing security controls and processes before the code development. Measures such as secure design review, threat modelling, secure coding practices, rigorous testing, and ongoing vulnerability management are all part of a secure software development lifecycle. This proactive approach should reassure buyers that software suppliers are committed to security. Software suppliers must be transparent about adopting software bills of materials (SBOMs) – detailed lists of all components, including open-source dependencies. This transparency allows organisations to understand the risks associated with third-party libraries and make informed decisions about the risks they are willing to accept.

Let’s discuss why accountability matters. First, inherent vulnerabilities in vendor software can compromise organisations’ sensitive data and critical operations. Second, successfully exploiting these vulnerabilities could lead to security breaches, exposing organisations to hefty fines, legal liabilities and reputational damage. Third, addressing vulnerabilities in the production environment adds significant costs to businesses’ security policies, update practices, and any vulnerabilities or breaches discovered post-release. The financial and reputational risks of not holding software suppliers accountable for security are significant, making it a critical aspect of software procurement.

There are several steps customers can take to make accountability work.

• Buyers should include explicit security requirements in contracts, mandating compliance with best practices, regular security audits and vulnerability disclosure protocols. Failure to meet these standards should have tangible consequences, such as financial penalties or contract termination.
• Buyers should seek certifications or independent audits to verify a vendor’s security claims. Certifications such as SOC2, FedRAMP, or PCI DSS prove that a supplier has undergone rigorous evaluation. Buyers should also ask for real-time access to security dashboards or reports to monitor the health of their vendor’s systems over time.
• Buyers should evaluate the vendor’s security posture, history of breaches and ability to meet compliance requirements. Enforce requirements for vendors to disclose their secure software development lifecycle (SDLC) processes and security measures.
• Regulations like the EU’s General Data Protection Regulation (GDPR) and the US Cybersecurity Maturity Model Certification (CMMC) create frameworks that mandate accountability across supply chains. Buyers should leverage these regulations to ensure compliance and encourage suppliers to align with broader legal standards.

Secure software is no longer optional. Buyers have the power – and the obligation – to hold suppliers and vendors accountable by demanding higher standards, enforcing compliance through contracts, and leveraging regulatory frameworks. By doing so, they protect their interests and contribute to a secure digital world.

Aditya K Sood is vice president of security engineering and AI strategy at Aryaka.