Software Engineering Institute

This article introduces the concept of standardized third-party certification of supplier process capability. It is based on the principle that capable suppliers provide capable products. At a time when security concerns are preeminent, it should be clear that purchasing software from unknown or unvetted suppliers is a risky proposition, and the trend toward global outsourcing only exacerbates the problem. Yet businesses lose competitive advantage if they deal only with local suppliers. The approach outlined here allows acquirers to trust even previously unknown suppliers if those suppliers have undergone third-party assessment of the security capability of their processes. It allows acquisition officers to deal with a much wider range of suppliers and increases the competitive pressure necessary to ensure cost-efficient products.