SA-12(11) — Penetration Testing / Analysis of Elements, Processes, and Actors

Conduct penetration testing not just of your own systems, but also analyze the supply chain elements, processes, and actors that deliver products and services to your organization.

Example 1: Include supply chain attack scenarios in your penetration test scope. Can a tester compromise a vendor portal and inject malicious code into an update? Can they intercept communications between you and a supplier? These tests reveal real-world supply chain attack paths.

Example 2: Evaluate the security of vendor portals and integration points as part of your regular security assessments. Test the authentication, encryption, and access controls on any system where you exchange data or software with vendors. Findings should be shared with the vendor for remediation.