Pat Opet, CISO at JPMorganChase, recently posted an open letter regarding third-party software risk that was a call to action. In it, he describes the non-negotiable software supply chain risks that are inherent in the software procurement process and issues a clear plea to suppliers: “We need your action.”
Opet’s letter followed Verizon Business' release of the 2025 Data Breach Investigation Report (DBIR), which cited a 100% increase in breaches stemming from third-party software providers this past year.
Such undeniable evidence should prompt organizations to take a hard look at the commercial software they are purchasing and using. But questions still remain as to whether or not organizations are trying to meet the challenge.
A recent ISACA virtual event with 600 security and risk practitioners sponsored by ReversingLabs (RL), Don’t Buy a Breach: Securing Third-Party Commercial Software, explored the subject of third-party software risk management (TPSRM) in depth. In the session, RL's chief trust officer, Saša Zdjelar, and RL's director of product management, Charlie Jones, expanded on the threats to commercial software and advised attendees on how they can start building out a robust program for TPSRM.
Here are the key takeaways from the session’s experts — and what attendees had to say about TPSRM in the real world.
[ See Webinar: Securing Third-Party Software | White Paper: The Power of Complex Binary Analysis ]
Why traditional TPRM tools don’t work
While knowledge of software supply chain attacks has increased greatly among practitioners and CISOs, many are still using outdated security checks that may work for traditional TPRM – but not TPSRM. In the first poll sent out to attendees in ISACA’s webinar, respondents were asked to select all of the tools that their organization is currently using to secure third-party commercial software.
Their responses were telling. Of the 598 security and risk practitioners that responded, about 70% of them reported using vendor questionnaires, a long-standing TPRM tool. This presents a major coverage gap in the third-party software procurement process, because questionnaires can be incomplete or misleading. Most importantly, questionnaires filled out by a third-party vendor can’t be verified with factual evidence by a reputable fourth party.
In a similar vein, a quarter of respondents reported that their organizations rely on requests for information (RFIs), which also cannot be verified for how they portray the security risks in a commercial software product.
Respondents also reported using antivirus scanning and penetration testing, with each of those representing 33% of respondents. While these tools are essential and long proven for cybersecurity, Zdjelar stressed to attendees that both of these methods have serious limitations when it comes to pinpointing all kinds of threats to their software supply chain.
Most interesting was that only 11% of respondents reported that their organizations use software bills of materials (SBOMs). While SBOMs are not a "be-all and end-all" solution for vetting third-party software, they do serve as an important first step in providing transparency of the software package. This means that the vast majority of organizations haven’t even taken this first step in upholding TPSRM.
Checks that go beyond what is asked of the vendor are deeply needed, especially when considering the nature of modern software development. As Zdjelar reminded attendees:
“All of our businesses are dependent on someone else’s software … but even they [the third-party software providers] don’t make all of the software themselves.”
–Saša Zdjelar
Time for a reality check
When attendees were asked how secure they felt with their current tooling, the majority of them (59%) reported feeling “somewhat protected.” This surprised Zdjelar, who stressed to attendees that the tools they are relying on simply do not meet the requirements for verifying the security of their commercial software products in use.
Zdjelar introduced a powerful alternative to legacy tooling: complex binary analysis. This technology, which is core to RL Spectra Assure, offers factual and reputable verification of a software package’s security — without the need for its source code.
Security and risk teams can use complex binary analysis to assess every kind of software supply chain risk that could be lurking in the third-party commercial software their organization relies on. This includes malware, tampering, vulnerabilities, secret leaks, and more.
Some attendees were skeptical of independently validating a vendor’s product using binary analysis. But Zdjelar said that independent verification is essential — and well within your rights as a software consumer. “There is nothing that prevents you from testing something you have bought,” he said.
Drawing from his own experiences working with several RL customers who rely on Spectra Assure for their TPSRM, Jones said that using complex binary analysis is well worth the extra effort because you're taking ownership of the risk coming into your organization.
“To be clear, vendors will engage with you and fix issues. … It’s much harder to refute or argue that the findings of complex binary analysis technology are irrelevant, because it’s based on the product that’s actually being analyzed.”
—Charlie Jones
Where to go from here on TPSRM
Once organizations adopt complex binary analysis tooling in their TPSRM process, they need to properly scale the verification of all of the software products in use. Fortune 500 enterprises may be using tens of thousands of software package versions at once – making this security verification process all the more daunting and essential, Jones stressed.
There is a practical reality of relying on complex binary analysis – even for the Fortune 500 — and that’s why Jones walked the audience through the experience, showing how organizations can best operationalize TPSRM. This involves identifying the right products to test, conducting proper analyses, and taking action to mitigate any security concerns raised — and then continually monitor the software products using differential analysis of package versions.
Learn how to operationalize complex binary analysis to combat supply chain threats in the full webinar with with Zdjelar and Jones (free for ISACA members). Plus, explore how ReversingLabs helps organizations assess and manage third-party risk — and download the white paper on the topic.
