Supplier Threat Flashcards
What aspect of external dependencies has become a more apparent problem recently?
The supply chain, including potential failures and trustworthiness issues.
What can happen if a key supplier company is bought out?
Product support may end, key staff may leave, and needed support might become unavailable.
What is the risk of relying solely on one supplier?
It creates a single point of failure; disruptions (like labor issues) at that supplier can halt the entire business dependent on it.
What is a potential downside of diversifying suppliers after relying on one?
While reducing single-point-of-failure risk, it may have disadvantages (e.g., potentially higher costs, managing more relationships).
What risk arises from suppliers delivering products?
They might deliver faulty or insecure products, whether hardware or software elements.
What specific example illustrates the risk of insecure software components?
Industrial control systems using old software components written decades ago without security considerations.
Why aren’t these old, insecure software components often updated?
No one is interested in paying to have the software rewritten to be secure.
Why is intellectual property (IP) ownership a concern with software suppliers?
Customers need to ensure they have control over or access to the software IP if needed, especially if the supplier fails.
What mechanism can provide access to software source code if a vendor fails?
Keeping a copy of the source code in escrow.
What are jurisdictional problems in the context of supply chains?
Restrictions on buying from or selling to certain countries, or differing legal requirements (like privacy laws).
What is ‘reshoring’?
Moving operations or production that was previously outsourced offshore back to the local country.
Why might companies engage in reshoring?
To secure the supply chain.
What privacy concern arises when outsourcing software development offshore?
Sending test data to the third-party developer might violate privacy laws if it includes sensitive information (e.g., PHI).
What is a prominent example of a third-party supplier category?
Cloud service providers (for data hosting, processing, etc.).
How can third-party advertising on a website introduce risk?
If the advertising provider is compromised, it can potentially compromise the website displaying the ads.
What security consideration is crucial when using third parties for data archiving?
Ensuring the third party can adequately protect the stored data from compromise.
What fundamental assumption should guide secure software design?
That the software will be attacked.
What knowledge is essential for writing secure software?
Familiarity with the various attack vectors and common threats, including those related to the supply chain.
