Vendor and Supply Chain Risk

About this shelf

Vendor and supply chain risk is the discipline of managing the security implications of organisations you do not directly control. It covers two related but distinct problems: third-party risk management (TPRM) — the vendors who have access to your data or environment — and software supply chain security — the open-source dependencies, build pipelines, and packaging infrastructure that make up your products.

The shelf covers both. On the vendor side: how security questionnaires are actually used in practice, what continuous vendor monitoring means beyond an annual SIG-Lite, and how regulatory frameworks (DORA in financial services, NIS2 in EU critical infrastructure, the Australian SOCI Act) are reshaping vendor due diligence into a more structured ongoing obligation. On the software side: how supply chain attacks like SolarWinds, 3CX, and the XZ Utils backdoor actually worked, what an SBOM is and is not useful for, where Software Composition Analysis (SCA) fits in the build pipeline, and how the EU Cyber Resilience Act and US Executive Order 14028 are converging on similar requirements.

The articles are written for security teams who have to actually run vendor risk programmes — not just produce policy documents. That means a focus on what evidence is worth collecting, where the diminishing returns kick in, how to triage thousands of vendor relationships when you only have analyst hours for the top tier, and the operational patterns that the better-run programmes have converged on.