On Vendor Security
Originally written on Jul 2023.
TL;DR
This is a draft.
Vendor security questionnaires are security theater designed to cover your ass. They don't provide any in-depth understanding of a vendor’s security trustworthiness. Don’t use those big questionnaires; instead, use the Vendor Show & Tell.
Ask “Show me your”:
- Threat model
- Software Bill of Materials (SBOM)
- The last five security events / incidents
Vendor Security
If you’ve been working in the security world for some time, especially in big corporations, you’ve probably been on the receiving (or giving) end of the vendor security questionnaires.
These questionnaires supposedly let you understand whether you can trust a particular vendor (or someone else can trust your company) with data and business valuable transactions. These documents range from a few dozen questions, all the way to several hundreds... Yeah... Hundreds.
The fact of the matter is that, as it is today, those questions don’t answer anything. It’s all “cover your ass” legal and compliance stuff, designed to say to your board and insurance companies “see, I asked, they told me they were certified...”
Asking things like:
- How will the data be stored, transmitted, and protected?
- Do you have a formal incident response plan in case of a cyberattack?
- How often do you conduct risk management services such as scanning for vulnerabilities or performing penetration tests?
Will not give you a deep understanding of anything. Maybe a surface level overview... Maybe. But for the most part you will not know whether the vendors have any meaningful security program and take security seriously.
Still, we need to know whether we can do business with these companies or individuals, or, someone needs to know whether they can do business with us. To that end, I think it’s time we redefine how we approach this assessment, factoring risk and asking the right questions.
Over the past several months I’ve been experimenting with a different approach, something I began calling the Vendor Show & Tell. Instead of sending a vendor 200 questions, I ask only three things. I ask them to show me their:
- Threat model
- Software Bill of Materials (SBOM)
- The last 5 security events / incidents
Threat Model
As we saw before, a threat model will give you the understanding of what threats can affect you and your assets, and what actions or mitigation activities you can focus on to minimize the chances of those threats from happening.
A vendor that takes security seriously will perform ongoing and constant threat modeling on their products, services, and their whole environment. They will understand the risks resulting from these threats, and they will have an informed security program, based on the assessment of risk. Asking a vendor for a threat model will allow you to understand their security maturity, and also understand whether you have an insecure product or service you are trying to use.
This will allow you to start your risk assessment on the vendor.
Software Bill of Materials (SBOM)
Based on the manufacturing world, SBOM is a list of all the open source and third-party components used in the codebase of an application or service. The SBOM also lists the licenses of those components, their versions and patch status, which allows security teams to quickly identify any security issues that need to be resolved.
This question is only relevant if you are trying to bring in a new application or service with a software component. It will give you a good overview of whether the vendor is using insecure third-party libraries or code, and whether they have a good patch management strategy for these components. SBOM will also give you transparency about the vendor’s development practices.
Apply the controls and perform the threat model once more, just to be sure you didn’t miss anything.
The Last Five Security Events or Incidents
This question is extremely important. Even the most secure organizations have security incidents, and potentially breaches. There is no way to avoid those, however a mature organization would have a good incident response runbook, a team to handle them, and a way to learn from them.
Asking a vendor to show you the last five security events or incidents will provide you with a good picture of the level of security maturity of this vendor, and whether there is a lingering security issue with their services or apps. If you see that incidents revolved around certain vulnerabilities, then you can question the vendor about the underlying issues, why they are not fixing the issue, or whether they were aware of them.
This information, coupled with the threat model you also asked, will let you know whether you have a problem.
In Summary
Since I began trying to assess vendor risk by asking for these three things, I’ve seen far better (and faster) results from vendors. Not all of them are willing to disclose these things, but those that do have provided me with a far better understanding of their security posture and best practices, enabling in turn a better assessment of whether I can do business with them.
I think maybe it’s time to change how we approach vendor security as a whole, and it begins with understanding first of all about their security.
When in doubt, always assume vendor compromise. Create controls to protect your data sitting in their cloud, or the access to your systems. Understand what can go wrong and preemptively monitor and detect those things. Try to be one or two steps ahead of anything going wrong with your vendors.
I’m working on an overall vendor risk assessment framework, but it’s still not all it can be. I will post it here when it’s ready. In the meantime, ask your vendors the right question. Ask them to show you their stuff.
By the way, Daniel Messier wrote a good approach to vendor security as well. His Vendor Security 2.0 is also a viable approach.