Chertoff Group Cybersecurity leaders Adam Isles and David London, along with John Steven, senior advisor and CEO of Aedify, led a CyberSymposium learning session about how software purchasers can incorporate best practices to secure their software supply chains. The discussion offered a summary of software security frameworks and their limitations, where organizations can encounter blind spots in addressing software lifecycle subversion and a buyer’s guide for recognizing software supply chain security.
Frameworks
There are a number of authoritative resources that catalogue software development lifecycle best practices. The National Institute of Standards and Technology (NIST) Secure Software Development Framework (SSDF) has emerged as a leading framework for secure software development practices. SSDF Version 1.2 was released for public comment in December 2025 introducing new practices associated with continuous process improvement, secure updates and new implementation examples.
Other key guidance includes the U.S. Cybersecurity and Infrastructure Security Agency (CISA) Secure by Design framework and the industry-driven Supply-chain Levels for Software Artifacts (SLSA).
While these frameworks and several others provide important guidance, builders and purchasers may still encounter blind spots due to evolving threat tradecraft, code complexity and development lifecycle variance. Our experts unpack a series of common software supply chain attack vectors and advise that organizations must overlay threat scenarios against priority software subversion risks to meaningfully mitigate risks.
Software Window Sticker Concept
During the software purchasing process, buyers must consider an overwhelming number of factors to achieve product assurance. To help buying teams, Adam Isles has developed a concept called a window sticker for software products, modeled after the Monroney sticker for automobile purchases. The sticker is intended to provide meaningful insight and discipline when making software acquisitions. Software buyers can benefit from a single, repeatable source of truth that maps theory to practice through process, performance and practice views.
Watch the full discussion on CyberSymposium, a cybersecurity marketplace connecting buyers and sellers.
David London is a principal at The Chertoff Group. Learn more about our Product Assurance services.
