Security and risk management (SRM) leaders have gained expertise in addressing supply chain issues in internal application development. They can use this knowledge by helping their organizations in following three practices:

• Add software supply chain risks to vendor risk management, and educating colleagues in software acquisition roles about the risks of these attacks. This strategy aims to disqualify or reduce reliance on vendors with inadequate application security practices.
• Demand transparency into application security practices of vendors, and the composition and contents of the software from those vendors. Doing so facilitates vendor risk assessments and simplifies the response to and mitigation of vulnerabilities.
• Implement dedicated testing and security evaluations for software supporting high-value or sensitive systems. The scope of testing should span both traditional checks for software vulnerabilities and the identification of malicious code.