1️⃣ Security Posture

What it means: How secure is the supplier's infrastructure, development practices, and operational security?

What to check:

• Certifications: SOC 2 Type II (not Type I!), ISO 27001, PCI DSS if handling payments
• Penetration Testing: When was the last test? Who performed it? Can you see results?
• Vulnerability Management: How fast do they patch? CVE response time? Public disclosure policy?
• Incident History: Have they been breached? How did they respond? Did they notify customers?
• Security Team: Do they have one? CISO? Security engineering? Or is it "handled by IT"?

Reality check: "SOC 2 compliant" without seeing the report means nothing. Type I audit is point-in-time theater. Type II is one year of evidence. Ask for the report. Read the exceptions. Trust, but verify. Actually, skip the trust part. Just verify.

2️⃣ Data Processing

What it means: What data does the supplier access, process, or store? Where? For how long?

What to check:

• Data Location: Where is data stored? EU? US? Multi-region? Can you choose?
• Data Retention: How long do they keep it? Can you delete it? Backup retention?
• Data Processing Agreement (DPA): GDPR-compliant? Audit rights? Subprocessor list?
• Encryption: At rest? In transit? Key management? Who controls keys?
• Access Controls: Who can access your data? MFA required? Audit logs available?

Reality check: Free tier SaaS has zero security guarantees. "Terms of Service" ≠ Data Processing Agreement. "Encrypted" without key control means they can read everything. GDPR isn't optional in EU. DPA isn't a nice-to-have. It's mandatory.

3️⃣ Business Continuity

What it means: What happens when (not if) the supplier has an outage, breach, or goes out of business?

What to check:

• SLA: What's guaranteed? Uptime percentage? Response time? Financial penalties?
• RTO (Recovery Time Objective): How fast can they restore service? Hours? Days?
• RPO (Recovery Point Objective): How much data loss is acceptable? Real-time? Daily backups?
• Backup Strategy: Do they backup? Where? How often? Can you restore?
• Exit Strategy: Can you export your data? In what format? How long does migration take?

Reality check: "Best effort" SLA = no SLA. Multi-region architecture sounds great until both regions fail (yes, it happens). Switching costs and switching time determine how trapped you are. Vendor lock-in is strategic risk disguised as convenience.

4️⃣ Compliance

What it means: Does the supplier meet regulatory requirements for your industry and geography?

What to check:

• GDPR: If you're in EU or serving EU customers, non-negotiable. DPA required.
• ISO 27001: Information security management system certification. Real, not marketing.
• Industry-Specific: PCI DSS (payments), HIPAA (healthcare), FedRAMP (US government)
• Regional Requirements: Data residency laws, sovereignty requirements, local regulations
• Audit Rights: Can you audit them? Send assessors? Review compliance evidence?

Reality check: "Compliance" badges on website ≠ actual compliance. Ask for reports. Check expiration dates. Verify scope. Compliance theater is expensive theater that doesn't prevent breaches.

5️⃣ Financial Stability

What it means: Will the supplier still exist next year? Can they afford security investment?

What to check:

• Company Age: Startup? Established? Acquired? Bankruptcy risk?
• Funding: VC-backed burn rate? Profitable? Revenue growth?
• Market Position: Leader? Challenger? Niche player? Dying product?
• Customer Base: Many small customers? Few large? One big customer = risk
• Support Quality: Responsive? 24/7? Community forum only? Pay-per-incident?

Reality check: Free services get shut down. Unprofitable startups get acquired and killed. Market leaders get complacent. Your mission-critical supplier's financial problems become your operational problems. Diversification isn't just for investments. It's for suppliers too.

🔴 AWS: Mission Critical Infrastructure

Classification: Tier 1 Mission Critical (Extreme confidentiality, Critical integrity, Mission Critical availability)

Reality:

• Security Posture: ✅ ISO 27001, SOC 2 Type II, PCI DSS, FedRAMP High. Multi-region DR.
• Data Processing: ⚠️ US-based company, EU data residency available, encryption at rest/transit, customer-managed keys possible
• Business Continuity: 99.99% SLA, <5 min RTO, <1 min RPO, 24/7 support
• Compliance: ✅ GDPR compliant, extensive compliance program, audit rights
• Financial Stability: ✅ Market leader (33% market share), Amazon-backed, profitable

Risk Assessment: Very high vendor lock-in. Proprietary services create switching costs. Multi-region architecture mitigates outage risk. Shared responsibility model means AWS secures infrastructure, you secure everything else.

Porter's Five Forces: Extreme supplier power. High entry barriers. Minimal substitute threat. Dominant rivalry advantage. Translation: They own you. Plan accordingly.

🟠 GitHub: Code Repository & CI/CD

Classification: Tier 2 Business Essential (Very High confidentiality, Critical integrity, High availability)

Reality:

• Security Posture: ✅ SOC 2 Type II, ISO 27001, SLSA Level 3, Advanced Security features, secret scanning
• Data Processing: ⚠️ US-based (Microsoft), code stored globally, audit logs available, DPA signed
• Business Continuity: 99.9% SLA, 5-60 min RTO, business hours support
• Compliance: ✅ GDPR compliant, SOC 2 annually, comprehensive security program
• Financial Stability: ✅ Microsoft-owned, 90% market share, enterprise-focused

Risk Assessment: High lock-in due to GitHub Actions, Copilot, Advanced Security integration. GitLab alternative exists. Local backups mitigate risk. Repository compromise = intellectual property theft = game over.

Real Talk: One leaked Personal Access Token = full repo access. One compromised Actions runner = supply chain attack vector. One weak 2FA = credential stuffing target. Secure your GitHub like it's your production database. Because it is.

🟠 SEB: Corporate Banking

Classification: Tier 2 Business Essential (Very High confidentiality, Critical integrity, High availability)

Reality:

• Security Posture: ✅ Swedish FSA regulated, PSD2 compliant, SWIFT network member
• Data Processing: ✅ Sweden-based, Swedish data residency, GDPR native compliance
• Business Continuity: 99.5% SLA, 1-4 hour RTO, 24/7 emergency support
• Compliance: ✅ FSA oversight, AML/KYC verified, strong customer authentication
• Financial Stability: ✅ Major Swedish bank, centuries-old, systemically important financial institution

Risk Assessment: Swedish oligopoly limits alternatives. High switching costs (payroll, integrations). Regulatory requirements create lock-in. Banking security is regulated security. Trust, but verify. Actually, just verify.

Supply Chain Insight: Bank breach = financial data exposure = customer notification requirement = reputational damage = regulatory investigation. Financial services suppliers need highest security scrutiny.

🟡 Security Tooling: FOSSA, SonarSource, StepSecurity

Classification: Tier 3 Operational Support (Moderate confidentiality, Moderate integrity, Standard availability)

Reality:

• Security Posture: ✅ SOC 2 Type II (SonarSource, FOSSA), GitHub-native security (StepSecurity)
• Data Processing: ⚠️ Code analysis data processed, limited retention, free tier for OSS
• Business Continuity: ⚠️ Best effort SLA, community support, easy alternatives exist
• Compliance: ⚠️ GDPR-aware, limited audit rights, standard terms
• Financial Stability: ✅ Established players (SonarSource, FOSSA), emerging (StepSecurity)

Risk Assessment: Very low lock-in. Multiple alternatives available. Free tier for public repositories. Easy switching. Security tools for security. Meta-security assessment required.

Supply Chain Paradox: Using security tools creates dependency on their security. OpenSSF Scorecard, Dependabot, FOSSA, SonarSource—all assess our dependencies while becoming our dependencies. Recursive supply chain risk. Welcome to Chapel Perilous.

1️⃣ Compromised Software Updates

Attack: Inject malware into legitimate software update mechanism

Example: SolarWinds Orion backdoor, CCleaner supply chain attack, ASUS Live Update backdoor

Why it works: Users trust automatic updates. Vendors have signing keys. Detection is delayed.

Defense: Code signing verification, update transparency logs, staged rollouts, anomaly detection

2️⃣ Dependency Confusion

Attack: Upload malicious package with same name to public registry, higher version number

Example: PyPI typosquatting, npm dependency confusion, internal package names leaked

Why it works: Package managers check public repositories first. Developers copy-paste code. Typos happen.

Defense: Private package repositories, namespace protection, dependency pinning, SBOM generation

3️⃣ Compromised Build Pipeline

Attack: Inject malicious code during CI/CD build process before signing

Example: CodeCov supply chain attack, GitHub Actions exploitation, compromised build agents

Why it works: Build systems have elevated privileges. Artifacts are trusted. Detection is pre-production.

Defense: SLSA compliance, reproducible builds, build attestation, StepSecurity hardening

4️⃣ Vendor Breach Lateral Movement

Attack: Breach vendor, pivot to their customers through shared infrastructure or credentials

Example: Target HVAC breach, Kaseya ransomware, MOVEit file transfer exploitation

Why it works: Vendors have customer access. Shared credentials exist. Trust relationships enable pivoting.

Defense: Network segmentation, credential isolation, zero trust architecture, least privilege

5️⃣ Transitive Dependency Vulnerabilities

Attack: Exploit vulnerability in dependency of dependency (transitive dependency)

Example: Log4Shell in log4j-core, Heartbleed in OpenSSL, Struts vulnerabilities

Why it works: Transitive dependencies are invisible. Updates are delayed. Impact is widespread.

Defense: Dependency scanning, SBOM generation, automated updates, vulnerability monitoring

✅ Continuous Monitoring

Track security posture over time, not point-in-time snapshot. Status pages, breach notifications, security advisories, community intelligence.

Hack23 approach: Tier 1 suppliers = quarterly review, Tier 2 = monthly check, Tier 3 = automated monitoring. Documented in SUPPLIER.md.

✅ Evidence-Based Assessment

Don't accept claims. Request reports. SOC 2 Type II (full report, not summary). Penetration test results. Vulnerability scan data. Incident response procedures.

Hack23 approach: Tier 1 suppliers provide annual reports. Tier 2 provide security questionnaires with evidence. No exceptions.

✅ Risk-Based Prioritization

Not all suppliers are equal. Critical suppliers get deep assessment. Supporting services get basic review. Match effort to risk.

Hack23 approach: 4-tier classification (€10K+ = Tier 1 Critical). Porter's Five Forces analysis reveals vendor power. CIA+ classification reveals data risk.

✅ Contractual Controls

Put requirements in contracts, not questionnaires. DPA for GDPR. SLA with penalties. Breach notification timeframe. Audit rights. Exit procedures.

Hack23 approach: Tier 1 = 24-hour breach notification, annual audit rights. Tier 2 = 48-hour notification, DPA required. All documented.

🔍 Automated Monitoring

What to monitor:

• Service Status: Subscribe to status pages. AWS status, GitHub status, all critical suppliers.
• Security Advisories: CVE notifications, security bulletins, vendor security blogs
• Breach News: Google Alerts for "[Vendor] breach", security news aggregators, community intelligence
• Compliance Status: Certificate expiration dates, SOC 2 report dates, ISO recertification timelines
• Financial Health: Funding announcements, layoff news, acquisition rumors, market position

Hack23 implementation: Automated monitoring for all Tier 1-3 suppliers. Status page webhooks. Security advisory RSS feeds. Quarterly manual review.

📊 Tier-Based Oversight

Frequency matches risk:

• Tier 1 (Mission Critical): Quarterly executive review, annual Porter's Five Forces reassessment, continuous automated monitoring
• Tier 2 (Business Essential): Monthly management review, semi-annual security validation, documented risk tracking
• Tier 3 (Operational Support): Quarterly operational check, annual security assessment, standard monitoring
• Tier 4 (Supporting Services): Annual review, automated tracking, incident-triggered assessment

Escalation triggers: Security incidents, compliance failures, service degradation, contract breaches, strategic changes

🚨 Incident Response Integration

Vendor breach = your incident:

• Detection: Supplier notification, security advisory, monitoring alert, community intelligence
• Classification: Tier 1 supplier breach = automatic critical incident (€10K+ potential impact)
• Response SLA: <30 minutes for critical supplier incidents, CEO escalation, stakeholder communication
• Coordination: Joint response with supplier, data impact assessment, customer notification per DPA

Contractual requirement: Tier 1 suppliers must notify within 24 hours. Tier 2 within 48 hours. Incident coordination procedures documented.

📈 Metrics & Reporting

What to track:

• Supplier Count by Tier: How many critical suppliers? Concentration risk?
• Assessment Currency: When was last review? Overdue assessments?
• Incident Frequency: Which suppliers have incidents? Pattern recognition?
• Switching Costs: How trapped are we? Exit strategy viable?
• Compliance Coverage: How many suppliers have DPAs? SOC 2 reports? Audit rights?

Hack23 transparency: All metrics documented in SUPPLIER.md. Quarterly Board reporting. CEO oversight for Tier 1.

🎪 "We're SOC 2 Compliant"

Theater: SOC 2 badge on website. No report provided. "Trust us, we passed."

Reality: SOC 2 Type I = point-in-time audit (useless). Type II = one year evidence (useful). Report contains exceptions (what they failed at).

What to ask: "Can I see the Type II report? What's the observation period? Any exceptions? When's next audit?"

If they won't share the report, they probably have bad exceptions or it's Type I theater.

🎪 "We Take Security Seriously"

Theater: Vague security page. Generic claims. "Best practices" without specifics.

Reality: Every vendor claims this. Nobody defines "seriously." Marketing speak, not security evidence.

What to ask: "Who's your CISO? When was last pentest? What's your vulnerability SLA? Show me your incident response plan."

Serious about security = named security team + public security policy + transparent vulnerability management.

🎪 "Bank-Level Encryption"

Theater: "Military-grade" or "bank-level" encryption. Sounds impressive. Means nothing.

Reality: AES-256 is AES-256. "Military-grade" isn't a standard. "Bank-level" is marketing. Encryption without key management is theater.

What to ask: "What algorithm? What key size? Who manages keys? Where are keys stored? Can you decrypt my data?"

If they control the keys, they can decrypt everything. If they can decrypt, so can governments and hackers who breach them.

🎪 "99.9% Uptime Guarantee"

Theater: High percentage sounds great. No SLA penalty. "Guarantee" without teeth.

Reality: 99.9% = 8.76 hours downtime per year. 99.99% = 52 minutes. "Guarantee" without financial penalty = marketing.

What to ask: "What's the financial penalty for SLA breach? How do you measure uptime? What's excluded from SLA?"

SLA without penalty = no SLA. "Planned maintenance" excluded from uptime = creative accounting.

🎪 "GDPR Compliant"

Theater: "We follow GDPR" without Data Processing Agreement. Cookie banner = compliance.

Reality: GDPR compliance requires DPA for processors. Right to deletion. Data portability. Breach notification within 72 hours.

What to ask: "Can I see your DPA? Where's data stored? How do I export my data? What's your breach notification process?"

GDPR isn't optional in EU. DPA isn't a nice-to-have. Vendor non-compliance = your compliance problem.

🎪 "Trusted by Fortune 500"

Theater: Customer logos on homepage. Implies security. Proves nothing.

Reality: Enterprise customers can get breached too. Target was Fortune 500. Equifax was Fortune 500. SolarWinds served Fortune 500.

What to ask: "What enterprise security features exist? Different SLAs for enterprise? Enhanced support? Dedicated security reviews?"

Big customers ≠ secure vendor. Big customers = bigger target for attackers. Logo wall = marketing, not security evidence.