Even when your organization relies heavily on third-party software, you’re still responsible for making sure that software meets security expectations, adheres to compliance requirements, and protects customer data.
You need a foundational security control for risk management in the software supply chain
We previously introduced a compact version of the BSIMM for vendors, called the vBSIMM. Now we’ve released a new version: BSIMMsc. The BSIMMsc describes a set of activities that you can use as part of your software supply chain risk management strategy. It empowers you to measure the software security capabilities within a supplier’s software development process.
Key steps to software supply chain management
1. Measure yourself with the BSIMM
BSIMM9 includes five specific activities (out of 116) that are relevant to controlling the software security risk associated with third-party vendors. These are worth calling out because they should be performed by all firms acquiring third-party software:
Every firm that acquires third-party software (whether custom, commercial off-the-shelf, open source, or anything in between) should take the time to determine how well they’re performing these five activities relative to each software supplier.
2. Use the BSIMMsc for your software supply chain
The BSIMMsc comprises the following BSIMM activities:
Identification & Response
Integration & Governance
Depth & Automation
Strategy & Metrics
Compliance & Policy
Standards & Requirements
Config. Mgmt. & Vuln. Mgmt.
Use the model to review the software security maturity of any software supplier.
The BSIMM is designed to help you understand, measure, and plan a software security initiative. The BSIMM was created by observing and analyzing real-world data from leading software security initiatives.