Supply Chain Security: Managing Third-Party Risk

Supply Chain Security: Managing Third-Party Risk

Supply chain security refers to the risk posed by your suppliers, partners, and the software components they provide. High-profile attacks like SolarWinds and Log4Shell demonstrated that attackers increasingly target the supply chain as a route to compromise downstream organisations.

Categories of Supply Chain Risk

• Software supply chain: Open-source libraries, commercial software, and SaaS tools used in development and operations
• Service providers: Cloud platforms, managed service providers, subcontractors with access to your systems
• Development tools: CI/CD pipelines, code repositories, package managers — all of which can be compromised to inject malicious code

How We Manage Supply Chain Risk

• All third-party dependencies are tracked in a Software Bill of Materials (SBOM)
• Automated vulnerability scanning identifies known CVEs in dependencies
• We use package signing and integrity verification where available (npm provenance, pip hash checking)
• Our CI/CD infrastructure is access-controlled and audited
• Subcontractors and suppliers undergo security assessment before engagement
• We maintain Data Processing Agreements with all subprocessors handling your data

What You Can Do

• Request security questionnaires from all your significant technology suppliers — including Progressive Robot
• Review supplier access to your systems regularly — revoke access that is no longer needed
• Ensure suppliers are contractually required to notify you of security incidents that may affect your systems