Laws of Security

VENDOR SECURITY MANAGEMENT

Ask, show me your:

THREAT MODEL

A vendor that takes security seriously will perform ongoing and constant threat modeling on their products, services, and their whole environment. Asking a vendor for a threat model will allow you to understand their security maturity.

SOFTWARE BILL OF MATERIALS (SBOM)

This question is only relevant if you are trying to bring in a new application or service with a software component. It will give you a good overview of whether the vendor is using insecure third-party libraries or code, and whether they have a good patch management strategy for these components.

THE LAST 5 SECURITY EVENTS / INCIDENTS

Asking a vendor to show you the last five security events or incidents will provide you with a good picture of the level of security maturity of this vendor, and whether there is a lingering security issue with their services or apps.


Check the original source for more information and additional context.