APPL-10

Do you have a process and implemented procedures for managing your software supply chain (e.g., libraries, repositories, frameworks, etc.)

Explanation

This question is asking about your organization's approach to managing software supply chain risks - specifically how you track, evaluate, and secure the third-party components that go into your software products. Software supply chain management involves having formal processes to inventory, evaluate, update, and monitor all external code components (like open-source libraries, frameworks, repositories) that your applications depend on. This includes both direct dependencies you explicitly include and indirect/transitive dependencies those components rely on. The question is being asked because software supply chain attacks have become increasingly common. Attackers target vulnerabilities in widely-used components rather than trying to breach your custom code directly. The SolarWinds and Log4j incidents are famous examples where compromised or vulnerable components affected thousands of organizations. A good answer should demonstrate that you: 1. Maintain an inventory of all third-party components used in your applications 2. Have a process to evaluate new components before adoption 3. Regularly scan for vulnerabilities in these components 4. Have procedures to quickly update or mitigate when vulnerabilities are discovered 5. Apply these practices to both in-house development and any outsourced development work The guidance specifically mentions including both in-house and contract development because organizations often have better controls over their internal development practices but may overlook applying the same rigor to code developed by contractors or vendors.

Guidance

Include any in-house developed or contract development.

Example Responses

Example Response 1

Yes, we have a comprehensive software supply chain management program We maintain a Software Bill of Materials (SBOM) for all applications using the OWASP Dependency-Track platform, which provides real-time inventory of all third-party components New libraries undergo security review before approval, including checking for known vulnerabilities, maintenance status, and licensing compliance Our CI/CD pipeline includes automated scanning with Snyk and SonarQube to detect vulnerable dependencies during build processes We have established update procedures with SLAs based on vulnerability severity (Critical: 24 hours, High: 7 days, Medium: 30 days) For contract development, our vendor agreements require adherence to the same standards, and we validate this through code reviews and automated scanning of all submitted code We conduct quarterly reviews of our dependency inventory to identify and remove unused or outdated components.

Example Response 2

Yes, we implement a structured approach to software supply chain management All developers must source packages exclusively from our private Artifactory repository, which mirrors approved public repositories Before components are added to our approved list, our security team evaluates them against our security requirements checklist We use GitHub's Dependabot to continuously monitor dependencies for security vulnerabilities and automatically create pull requests for updates Our development teams conduct monthly dependency reviews to identify and update outdated components For our contract developers, we provide access to the same tools and require them to follow our documented procedures for dependency management We also perform static application security testing (SAST) on all code, including third-party libraries, before it enters our production environment Our process is documented in our Software Development Lifecycle policy, which is reviewed annually.

Example Response 3

No, we currently don't have a formal process for managing our software supply chain Our developers select libraries and frameworks based on their technical requirements and experience We rely on developers to keep dependencies updated as part of their regular development activities While we do occasionally scan our code for vulnerabilities using free online tools, we don't have a systematic approach to tracking all third-party components or evaluating them before use We recognize this is a gap in our security posture and are planning to implement a more structured approach in the next quarter, including adopting a dependency management tool and establishing formal review procedures for third-party components.

Context

Tab
Infrastructure
Category
Application/Service Security

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron