By Nate Cote
So, you are charged with selecting the best IT product to implement into your organization's infrastructure, but which product should you purchase? Of course there are the straight-forward items that need to be addressed such as performance, compatibility, price, and support.
But what about the actual "guts" of the product?
As the incidence of cyber warfare expands, whether it is supported by nation-states, ethically challenged corporations, or hackers, it becomes increasingly important to trust the products that we are relying on to keep the "bad stuff" out. There have been numerous reports of rootkits and trojans that have been installed on component level chips designed to infiltrate networks from the inside. Government agencies have stepped up their diligence regarding what products are allowed to protect infrastructure at high security levels. But, commercial businesses and end users do not always have access to the same type of information or resources that government agencies do.
While it is difficult to really understand how well a product company in the IT space secures their supply chain to prevent malfeasance, there are a few reasonable steps that can be taken to at least improve the chances that the product is secure. The most straight-forward is to stick with a company that has a solid reputation and customer list that includes organizations that take their security seriously (government agencies, financial institutions, etc). The thought here is two-fold: 1) The organization has a great deal to lose if they compromise their customer's trust so there should be adequate supply chain measures put in place on their end. 2) Piggyback on the due diligence of peers to help validate your own independent research.
Another step is to inquire as to whether the organization has undergone any independent testing which requires an in-depth analysis of supply chain management, such as Common Criteria. One of the typical requirements in Common Criteria is to outline supply chain integrity from the component level, to production, integration, loading, and ultimate delivery through the distribution network and the end user.
The third step is to simply ask the vendor. Depending on what the request is, a vendor may be willing to disclose certain facts about supply chain and put something in writing as part of a contract negotiation. It can never hurt to ask.
Following these steps is a relatively easy way to glean additional insight into the overall security of a product and/or vendor. A little due diligence can go a long way to help identify weaknesses within the supply chain and provide you with additional peace of mind.