Presentation Material
Abstract
So, you have implemented SDL across your organization, but you are having some pain points with your supply chain security. Expanding SDL to suppliers is a challenge with many painful hurdles along the way. Doing that for a large number of suppliers requires a flexible yet standardized approach. This session will share how Dell shifted SDL even further left to include the supply chain at scale.
AI Generated Summary
The talk addresses the challenge of extending a secure development lifecycle (SDL) across the entire technology stack—from hardware to cloud—to include third-party suppliers. It presents a practical methodology developed at Dell for integrating supplier security requirements into an organization’s existing SDL framework.
The core approach involves defining standardized supplier security requirements and attestation forms based on internal SDL controls and aligned with industry standards (e.g., NIST, SAFECode). Two key tools were introduced: a supplier risk attestation questionnaire focusing on process controls (e.g., security training, governance) and a component attestation form for technical controls (e.g., threat modeling, static analysis). A tiered, risk-based prioritization strategy was employed to roll out requirements across thousands of suppliers, using criteria specific to hardware (e.g., tamper detection), firmware (e.g., network access), and software/cloud (e.g., data sensitivity, product volume).
Key findings highlight significant operational pain points, including contractual negotiations, supplier resistance due to perceived intellectual property risks, and the need for cross-functional collaboration among engineering, legal, and procurement teams. The speakers argue that mere attestation is insufficient for complex stacks; the ideal future state involves sharing concrete SDL artifacts (e.g., threat models) for true “trust but verify.” Practical takeaways emphasize starting with internally aligned requirements, using industry frameworks to ease supplier adoption, and accepting that business risk assessments may dictate accepting certain supplier risks when requirements cannot be met. The ultimate goal is to shift security considerations further left into the supply chain to mitigate risks that could lead to costly post-deployment fixes or recalls.