Jane Edwards 
Leaders from The Chertoff Group said software security frameworks are a starting point for organizing best practices, but software buyers need a clearer, threat-informed way to evaluate real security outcomes.
As cybersecurity priorities continue to evolve across government and industry, leaders are gathering to share insights and strengthen collaboration. Sign up now for the Potomac Officers Club’s 2026 Cyber Summit on May 21!
During a CyberSymposium session on software supply chain security, Adam Isles, principal and head of cybersecurity practice; David London, a principal for cybersecurity at the firm; and John Steven, a senior adviser to The Chertoff Group and CEO of Aedify, noted that organizations should move beyond framework alignment and vendor attestations by applying a buyer’s guide designed to measure meaningful risk reduction.
What Is the Current Software Security Framework Landscape?
The panelists acknowledged that a range of frameworks now guide secure development efforts.
Isles pointed to the National Institute of Standards and Technology’s Secure Software Development Framework, Cybersecurity and Infrastructure Security Agency’s Secure by Design initiative and the European Union’s Cyber Resilience Act as leading examples. He also noted the growing importance of software bills of materials and the codification of minimum SBOM-related elements under the EU’s regulatory regime.
While these frameworks provide foundational guidance, London said they are not inherently threat-informed.
What Are the Common Software Supply Chain Attack Vectors?
To ground the buyer’s guide in real-world risk, the speakers outlined four core attack vectors across the software development lifecycle: injection or exploitation of malicious or vulnerable code; compromise of third-party dependencies; subversion of the software build process; and tampering during delivery or download.
London referenced SolarWinds as a watershed example of build compromise and said attackers increasingly target weaknesses across the full development lifecycle.
A Buyer’s Guide Built Around 3 Evaluation Lenses
To help software buyers navigate a crowded landscape of guidance and vendor claims, Isles proposed a buyer’s guide built around three evaluation lenses: process, performance and practice.
For the process view, Isles said buyers should examine whether vendors have development processes aligned to frameworks such as SSDF that, in theory, should enable them to build well-secured software.
“The performance view says, all right, let’s verify. Give me some technical observability into product security, hygiene, and performance. Prove it to me,” he noted. “And the practice view focuses on both application hardening and end-user security features, and particularly risk-reducing practices that we want to ask whether they’ve been embedded into a product. Do they come standard? Are they optional?”
What Is the ‘Window Sticker’ Concept for Software?
To simplify software evaluations, Isles proposed a “window sticker” for software modeled after the Monroney sticker required for automobiles under the Automobile Information Disclosure Act of 1958.
The automotive sticker provides transparency about features, sourcing and crash test ratings.
Isles argued that software buyers face a similar transparency challenge today. A standardized window sticker for software could consolidate key security attributes into a repeatable format organized around process, performance and practice. He said the approach could give buyers greater transparency into how vendors build and secure their products.
Steven noted that a standardized model could reduce the friction created by inconsistent security questionnaires.
London said a consolidated reporting format that is consistent for both buyers and vendors could help drive meaningful improvements across the market.
Click here to view the full CyberSymposium learning session about managing software supply chain risk.
