Vendor due diligence
Definition
The pre-procurement and ongoing process of assessing a supplier's security practices before and during a commercial relationship. In supply-chain risk management, due diligence includes reviewing the supplier's SBOM, secure development practices, incident response capability, and subcontractor controls.
Related terms
- Dependency confusion
- An attack technique in which an attacker publishes a public package with the same name as an organisation's internal private package at...
- NIST SP 800-161r1
- The US National Institute of Standards and Technology publication 'Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations' (Revision 1, 2022)....
- Software Bill of Materials (SBOM)
- A structured, machine-readable inventory of the software components in a product or system. Captures component names, versions, licences, and dependency relationships. Standard...
- Software Composition Analysis (SCA)
- A category of security tooling that scans source code, build manifests, and container images to identify open-source and third-party components, match them...
- Transitive dependency
- A software library that an application does not import directly but is pulled in automatically because a direct dependency requires it. Transitive...
Explained in
- Supply-Chain Risk and Software DependenciesThe pre-procurement and ongoing process of assessing a supplier's security practices before and during a commercial relationship. In supply-chain risk manageme...