Maksim Kabakou - FotoliaOpinionVigilant buyers are the best recipe for accountable suppliersIn January 2025, outgoing CISA chief Jen Easterly called on IT buyers to demand better security standards from their software suppliers. The Security Think Tank considers what better means, and what does best practicefor secure software procurement looks like in 2025.ByAditya K Sood, AryakaPublished: 03 Feb 2025 In todays digital world, secure software is not just a feature its a requirement. The risk of advanced threats and cyber attacks necessitates buyers holding software suppliers and vendors accountable for security. Failure to do so could lead to increased risks, security breaches, and potential damage to the digital ecosystem.Understanding the responsibilities of software suppliers is essential. Security should be built in, not added later. This requires a proactive approach to implementing security controls and processes before the code development. Measures such as secure design review, threat modelling, secure coding practices, rigorous testing, and ongoing vulnerability management are all part of a secure software development lifecycle. This proactive approach should reassure buyers that software suppliers are committed to security. Software suppliers must be transparent about adopting software bills of materials (SBOMs) detailed lists of all components, including open-source dependencies. This transparency allows organisations to understand the risks associated with third-party libraries and make informed decisions about the risks they are willing to accept.Lets discuss why accountability matters. First, inherent vulnerabilities in vendor software can compromise organisations' sensitive data and critical operations. Second, successfully exploiting these vulnerabilities could lead to security breaches, exposing organisations to hefty fines, legal liabilities and reputational damage. Third, addressing vulnerabilities in the production environment adds significant costs to businesses' security policies, update practices, and any vulnerabilities or breaches discovered post-release. The financial and reputational risks of not holding software suppliers accountable for security are significant, making it a critical aspect of software procurement.Inflection pointIn January 2025, outgoing CISA chief Jen Easterly compared secure software development to automotive safety, arguing that we are at an inflection point similar to 1965, when Ralph Nader published Unsafe At Any Speed.Nader's book spurred public outrage over road safety and helped foster widespread adoption of innovative new technology, such as seatbelts. Like Nader, Easterly believes change will only truly come if we demand better from our suppliers.There are several steps customers can take to make accountability work.Buyers should include explicit security requirements in contracts, mandating compliance with best practices, regular security audits and vulnerability disclosure protocols. Failure to meet these standards should have tangible consequences, such as financial penalties or contract termination.Buyers should seek certifications or independent audits to verify a vendors security claims. Certifications such as SOC2, FedRAMP, or PCI DSS prove that a supplier has undergone rigorous evaluation. Buyers should also ask for real-time access to security dashboards or reports to monitor the health of their vendors systems over time.Buyers should evaluate the vendors security posture, history of breaches and ability to meet compliance requirements. Enforce requirements for vendors to disclose their secure software development lifecycle (SDLC) processes and security measures.Regulations like the EUs General Data Protection Regulation (GDPR) and the US Cybersecurity Maturity Model Certification (CMMC) create frameworks that mandate accountability across supply chains. Buyers should leverage these regulations to ensure compliance and encourage suppliers to align with broader legal standards.January 2025: The Security Think Tank on global regulation and complianceMandy Andress, Elastic:Why CISOs should build stronger bonds with the legal function in 2025.Adam Stringer, PA Consulting:Why we need better cyber regulation to protect the UK from disruption.Nick New, Optalysys:Cyber innovation to address rising regulatory, threat burden.Petra Wenham, BCS, the Chartered Institute for IT: Your first steps to improve international compliance.Secure software is no longer optional. Buyers have the power and the obligation to hold suppliers and vendors accountable by demanding higher standards, enforcing compliance through contracts, and leveraging regulatory frameworks. By doing so, they protect their interests and contribute to a secure digital world.Aditya K Sood is vice president of security engineering and AI strategy at Aryaka.In The Current Issue:World Economic Forum: Digital supply chains at risk as world faces two years of turbulenceData sovereignty and security in the UKDownload Current IssueConfluent: Shifting the paradigm to (real-time) data engineering CW Developer NetworkVision for the technology landscape of 2025 Data MattersView All Blogs