Security Impact of Acquired Software
Start course

This course is one of four courses covering Domain 1 of the CSSLP. This course explores the topic of security policies and regulations.

Learning Objectives

  • Obtain a general understanding of security policies, regulations, and compliance
  • Understand the legal and privacy issues that these regulations aim to address
  • Learn about a variety of security frameworks and standards
  • Learn about trusted computed principles and how they underpin security frameworks
  • Understand the security implications of acquiring software

Intended Audience

This course is designed for those looking to take the Certified Secure Software Lifecycle Professional (CSSLP)​ certification, or for anyone interested in the topics it covers.


Any experience relating to information security would be advantageous, but not essential.  All topics discussed are thoroughly explained and presented in a way allowing the information to be absorbed by everyone, regardless of experience within the security field.


If you have thoughts or suggestions for this course, please contact Cloud Academy at



We're always going to have to assess the security impact of acquired software. Now, when we think of this, what we're really considering is the level of confidence that the software is free of vulnerabilities, whether they may be intentionally designed in, or left in inadvertently by the developing organization due to insufficient or improper testing.

We have to consider that these are present and develop testing regimes and requirements so that they can be tested for, and when found, removed or amended. It's going to have to be conducted throughout its life cycle to make sure that the software continues to function as intended. This is the supply chain management requirement that we have and in doing so we must be sure that we understand exactly what is going on in the supply chain, so that we can make sure that the requirements are both precise, correct, and communicated from the earliest phases of the acquisition process through the end and its deployment.

We must regard testing as a mandatory element in this process as the proof of the assurance that we need so that we know that it has been tested for, and that the things that can be found, that are vulnerabilities or gaps or failed functions, that all of those have been examined and not found wanting. We have to remember every step along the way that risk flows along the lines of the signatories to the contract, that it flows from one party to the other based on who has signed and who is getting what deliverable from which party. We also have to realize that it is a shared responsibility to ensure that what is being designed and built will meet that, and that it is of the best assurance levels that we can establish through testing.

So we must engage in risk-based management of our supply chain. We must think about it in terms of what it is, how it's constructed and the various characteristics of the parties that make it up. We have to be sure that we have resilient and integrated security as it flows up and down the lines of responsibility in the supply chain. We have to be sure that we understand what this contributes to the cost of ownership of the supply chain itself and the products being developed and delivered. What is the positive or negative contribution that outsourcing will make to it? And how do we decide to go with it or to retain it in-house and not outsource?

When we look at the various members, the processes and the flows within the supply chain, we need to develop a sense of the integrated security assessments that will be needed to involve multiple parties so that we can see all of the different steps in the supply chain and examine them for vulnerabilities, flaws, gaps, single points of failure and other things that will disrupt it. And then we have to put in place proper monitoring and management.

Now, when it comes to monitoring, these of course are the routine tests that we do to make sure that what is being done is what is being represented as being done and the deliverables represent that the requirements are in fact being met as specified. We can do this through onsite assessments, document exchanges, and reviews. We can make use of independent third-party assessments, such as the SSAE-18 and its attendant SOC reports. We can do it through high trust. We can do it through ISO standards, the ISO 27001, for example.

All of these are ways to give us increased assurance and the independent examination of any party along our supply chain. But those two are only the beginning. They tell us about things we no longer have to be concerned with, but without interactive and proactive management of the supply chain, a lot of other things can go wrong and we need to be prepared to act if that is the case.

About the Author
Learning Paths

Mr. Leo has been in Information System for 38 years, and an Information Security professional for over 36 years.  He has worked internationally as a Systems Analyst/Engineer, and as a Security and Privacy Consultant.  His past employers include IBM, St. Luke’s Episcopal Hospital, Computer Sciences Corporation, and Rockwell International.  A NASA contractor for 22 years, from 1998 to 2002 he was Director of Security Engineering and Chief Security Architect for Mission Control at the Johnson Space Center.  From 2002 to 2006 Mr. Leo was the Director of Information Systems, and Chief Information Security Officer for the Managed Care Division of the University of Texas Medical Branch in Galveston, Texas.


Upon attaining his CISSP license in 1997, Mr. Leo joined ISC2 (a professional role) as Chairman of the Curriculum Development Committee, and served in this role until 2004.   During this time, he formulated and directed the effort that produced what became and remains the standard curriculum used to train CISSP candidates worldwide.  He has maintained his professional standards as a professional educator and has since trained and certified nearly 8500 CISSP candidates since 1998, and nearly 2500 in HIPAA compliance certification since 2004.  Mr. leo is an ISC2 Certified Instructor.