RL Blog

Topics

All Blog PostsAppSec & Supply Chain SecurityDev & DevSecOpsProducts & TechnologySecurity OperationsThreat Research

Follow us

XX / TwitterLinkedInLinkedInFacebookFacebookInstagramInstagramYouTubeYouTubeblueskyBluesky

Subscribe

Get the best of RL Blog delivered to your in-box weekly. Stay up to date on key trends, analysis and best practices across threat intelligence and software supply chain security.

ReversingLabs: The More Powerful, Cost-Effective Alternative to VirusTotalSee Why
Products & TechnologySeptember 4, 2024

Secure by Demand: Going Beyond Questionnaires & Software Bills of Materials

Enterprise buyers need direct, verifiable evidence of software security. Here's why your organization needs to trust, but verify.

Joe ColettaJoe Coletta
FacebookFacebookXX / TwitterLinkedInLinkedInbluesky

CISA’s Secure by Demand guidance provides a list of questions that enterprise software buyers should ask software producers to evaluate their security practices prior to, during and after procurement. It’s a good idea in principle as every organization needs to be asking the questions presented in “Secure by Demand Guide: How Software Customers Can Drive a Secure Technology Ecosystem.”

The question lies in how you get answers. Questionnaires and SBOMs provide certain information, but don’t provide enough to be able to truly assess the risk of the product that you're buying. Enterprise buyers need direct, verifiable evidence of software security. Here's why you need to trust, but verify.

Get White Paper: Go Beyond the SBOM to Bring Control to Third-Party Software Risk

Secure by Demand: Key Subject Areas

The questions CISA suggests software vendors answer fall into six subject areas:

  • General questions: Has the vendor taken CISA’s Secure by Design pledge, and how do they manage security patches for their customers?
  • Authentication: How does the vendor support secure authentication such as single sign-on (SSO), MFA, passkeys, and password management?
  • Eliminating vulnerability classes: Does the vendor systematically address software vulnerabilities across its products, and does it have a roadmap to fix known security defects?
  • Evidence of intrusions: Does the vendor, namely cloud service and SaaS providers, provide security logs to their customers to provide evidence of possible intrusions?
  • Software supply chain security: How does the vendor maintain and share provenance data of third-party dependencies (e.g. software bills of materials, or SBOMs) and have processes to govern its use of, and contributions to, open source software components?
  • Vulnerability disclosure: Does the vendor have a vulnerability disclosure program (VDP) to demonstrate transparency and timeliness in vulnerability reporting for both on-premises and cloud products?

Secure by Demand: A Good First Step — But Certainly Not the Last

Tags:Products & Technology

More Blog Posts

Spectra Assure Free Trial

Get your 14-day free trial of Spectra Assure for Software Supply Chain Security

Get Free TrialMore about Spectra Assure Free Trial
Blog
Events
About Us
Webinars
In the News
Careers
Demo Videos
Cybersecurity Glossary
Contact Us
reversinglabsReversingLabs: Home
Privacy PolicyCookiesImpressum
All rights reserved ReversingLabs © 2026
XX / Twitter
LinkedInLinkedIn
FacebookFacebook
InstagramInstagram
YouTubeYouTube
blueskyBluesky
RSSRSS
Back to Top
Bluesky
Email Us

CISA’s guidance is a good starting point for organizations who want to build a process for ensuring the software they procure from vendors is safe. However, they shouldn’t stop there as, relying solely on questionnaires and SBOMs leaves gaps in your third-party cyber-risk management (TCPRM) — or what the industry often refers to as third-party software risk management. The challenge is that questionnaires can be incomplete or misleading. While SBOMs identify components, they are ultimately just a list of ingredients in the vendor’s software that offer little in the way of actionable insights into the security of that software.

This latest CISA guidance also emphasizes open-source vulnerabilities. While that is important, software supply chain security risks from proprietary, commercial, open source, and build artifacts like malware, tampering, suspicious behaviors, exposed secrets, and more. These types of risks have resulted in serious software supply chain attacks, such as those on SolarWinds in 2020 and 3CX in 2023.

Consider the conclusion made by the 2024 Verizon Data Breach Investigations Report (DBIR), stating that breaches stemming from third-party software development organizations increased by 68% from 2023. Yet despite this, current third-party risk management (TPRM) methods have failed to bring transparency to third-party software specifically.

It's Time to Trust, But Verify

Cybersecurity and risk professionals focused on third-party software risk need a control that provides verifiable evidence that the software they purchase is safe. But how do you ensure the accuracy of an SBOM or calculate the risk of threats from software you’re purchasing? You need to independently validate the security of that software.

The Spectra Assure™ does exactly that. Spectra Assure uses complex binary analysis to provide comprehensive, independent software analysis that go beyond the limited assurances that questionnaires and SBOMs offer. These insights are synthesized into a Spectra Assure SAFE Report, which includes a comprehensive SBOM along with a digestible, and actionable software risk assessment.

With Spectra Assure, you can independently test and verify that software is free from malware, tampering, suspicious behaviors, vulnerabilities, and more — before, during or after deployment. The SAFE report can be securely and privately shared with your software vendors to address any new or lingering security issues.

Spectra Assure puts the power of validation into the hands of enterprise software buyers, where it belongs. If you’re not doing your own validation, you’re relying on blind trust that vendor questionnaires and SBOMs have you covered. That’s a risk most enterprises shouldn’t have to take.

Take the Spectra Assure Virtual Tour to see how ReversingLabs delivers concrete, verifiable security assurances that exceed CISA's suggestions.

joe coletta black and white headshot
secure by design secure by demand

Explore RL's Spectra suite: Spectra Assure for software supply chain security, Spectra Detect for scalable file analysis, Spectra Analyze for malware analysis and threat hunting, and Spectra Intelligence for reputation data and intelligence.

Skip to main content
Contact UsSupportLoginBlogCommunity
reversinglabsReversingLabs: Home
Solutions
Secure Software OnboardingSecure Build & ReleaseProtect Virtual MachinesIntegrate Safe Open SourceGo Beyond the SBOM
Increase Email Threat ResilienceDetect Malware in File Shares & StorageAdvanced Malware Analysis SuiteICAP Enabled Solutions
Scalable File AnalysisHigh-Fidelity Threat IntelligenceCurated Ransomware FeedAutomate Malware Analysis Workflows
Products & Technology
Spectra Assure®Software Supply Chain SecuritySpectra DetectHigh-Speed, High-Volume, Large File AnalysisSpectra AnalyzeIn-Depth Malware Analysis & Hunting for the SOCSpectra IntelligenceAuthoritative Reputation Data & Intelligence
Spectra CoreIntegrations
Industry
Energy & UtilitiesFinanceHealthcareHigh TechPublic Sector
Partners
Become a PartnerValue-Added PartnersTechnology PartnersMarketplacesOEM Partners
Alliances
Resources
BlogContent LibraryCybersecurity GlossaryConversingLabs PodcastEvents & WebinarsLearning with ReversingLabsWeekly Insights Newsletter
Customer StoriesDemo VideosDocumentationOpenSource YARA Rules
Company
About UsLeadershipCareersSeries B Investment
EventsRL at RSAC
Press ReleasesIn the News
Pricing
Software Supply Chain SecurityMalware Analysis and Threat Hunting
Menu
Request a demo
QR Code Phishing Is Evolving: Here’s How Your Detection Can Keep Up

QR Code Phishing Evolves: How to Keep Up

Here's what you need to know about the rise of quishing — and how your threat hunting team can get out in front of it.

Learn More about QR Code Phishing Evolves: How to Keep Up
QR Code Phishing Evolves: How to Keep Up
Why RL Built Spectra Assure Community

Why RL Built Spectra Assure Community

We set out to help dev and AppSec teams secure the village: OSS dependencies, malware, more. Learn how.

Learn More about Why RL Built Spectra Assure Community
Why RL Built Spectra Assure Community
How a Simple YARA Rule Catches What AV Misses

ClickFix: YARA Rules Catch What AV Misses

Learn about the antivirus detection gap — and how to develop a simple YARA rule using Spectra Analyze.

Learn More about ClickFix: YARA Rules Catch What AV Misses
ClickFix: YARA Rules Catch What AV Misses

How to Examine Polyglot Files with Spectra Analyze

Here's how to assess a sample using Spectra Analyze in your environment — and create a YARA rule.

Learn More about How to Examine Polyglot Files with Spectra Analyze
How to Examine Polyglot Files with Spectra Analyze
Polyglot File Examination with Spectra Analyze