TL;DR

Most Australian SMB breaches now start with a compromised vendor, open-source library, or build tool, not a direct attack on your network. You cannot audit every supplier yourself, but you can put four controls in place: know what software you are running, verify where it came from, ask your SaaS vendors the right questions, and monitor the signals that warn a supplier is drifting. This post gives you a checklist and a 10-question vendor questionnaire you can use today.

The software supply chain is your new attack surface

Every business runs on code it did not write. Your accounting package pulls in open-source libraries. Your SaaS provider ships updates every day. Your developers download packages from npm, PyPI, or Docker Hub. Each hand-off is a place where an attacker can hide. The 2023 Melbourne company compromise via a downstream IT provider, the XZ Utils backdoor, and the MOVEit, SolarWinds, and 3CX incidents all share one lesson: the weakest link is usually a supplier, not your firewall.

For Australian SMBs, the risk is real but manageable. You do not need a full enterprise vendor-risk program. You need contracts that shift liability, evidence you can verify, and a few habits that catch problems early.

Four controls that actually reduce exposure

1. Know what you are running with an SBOM

A Software Bill of Materials, or SBOM, is an ingredient list for software. It names every component, version, and dependency inside an application or container. If a critical CVE drops, an SBOM lets you answer in minutes: "Are we affected?" instead of spending days scanning every system.

Ask your software vendors and internal developers for SBOMs in standard formats: SPDX or CycloneDX. For SaaS, request an SBOM for the application you subscribe to, not just the infrastructure. Store SBOMs in a central register and refresh them when the vendor ships a major update. The ACSC and NIST both recommend SBOMs as a baseline supply-chain transparency control.

2. Triage faster with VEX

An SBOM tells you what is inside the software. Vulnerability Exploitability Exchange, or VEX, tells you whether a reported CVE is actually exploitable in your environment. A VEX document from a vendor says: "Yes, CVE-XXXX is in our dependency tree, but the vulnerable function is not called, so you are not at risk."

Without VEX, every CVE becomes a fire drill. With it, your team can downgrade noise and focus on the vulnerabilities that matter. Contractually, ask vendors to provide VEX data alongside their SBOMs within 72 hours of a high-severity CVE being published.

3. Trust builds with SLSA and sigstore

SLSA, the Supply-chain Levels for Software Artifacts framework, defines four levels of build integrity. Level 1 is a published build process. Level 3 uses isolated, hardened build environments. Level 4 includes two-person review and reproducible builds. You will not demand Level 4 from every SaaS vendor, but you should know what level they claim and put it in the contract.

For open-source packages, sigstore and code signing prove that the binary you install came from the expected source and was not modified in transit. Configure npm, PyPI, and Docker Hub consumption to require signed artifacts where available. Internally, sign your own containers and binaries, and verify signatures in CI before deploying to production.

4. Reduce risk from public registries

npm, PyPI, and Docker Hub are essential, but they are also attack marketplaces. Typosquatting, dependency confusion, and abandoned packages are common.

Practical steps: pin exact versions in lock files, use private mirrors or caches, scan dependencies in CI with tools like Snyk, OWASP Dependency-Check, or Trivy, and maintain an allowed-list of approved packages. For Docker, prefer minimal base images from verified publishers, scan layers before deployment, and never run latest in production.

Put it in the contract

Controls only stick if they are written down. Your SaaS and software procurement contracts should include:

  • Incident notification within 24 hours of confirmed compromise.
  • Right to audit, or at least annual third-party security attestations.
  • SBOM and VEX delivery for critical software.
  • Sub-processor disclosure and approval rights.
  • Liability caps that reflect the actual business impact of a supplier breach.
  • Termination rights if the vendor fails to patch critical vulnerabilities in a defined window.

If a vendor refuses every clause, that is signal. Either reduce their access to non-critical data or choose a competitor who will agree.

Vendor security questionnaire: 10 must-ask questions

Copy this into your RFP or renewal process:

  1. Can you provide an up-to-date SBOM in SPDX or CycloneDX format for the service we are buying?
  2. Do you produce VEX documents or exploitability statements for reported CVEs?
  3. What SLSA level do your build and release pipelines meet, and can you share evidence?
  4. Are your binaries, containers, and packages signed, and do you publish signatures or use sigstore?
  5. How quickly do you patch critical, high, and medium vulnerabilities, measured in days?
  6. Who has privileged access to production systems, and is that access logged, reviewed, and multi-factor protected?
  7. Do you perform annual penetration tests, and will you share the executive summary?
  8. What sub-processors or fourth-party providers touch our data, and where are they located?
  9. What is your incident response plan, and will you notify us within 24 hours of a confirmed breach?
  10. Can we review your ISO 27001, SOC 2 Type II, or IRAP assessment results?

Supply chain security checklist

Use this as a quarterly review:

  • Maintain a register of all third-party SaaS, software, and critical open-source dependencies.
  • Collect and refresh SBOMs for every business-critical application.
  • Verify package signatures before production deployment.
  • Run dependency vulnerability scans in CI and on a weekly schedule.
  • Pin versions and use private registries or caches for public packages.
  • Add supply-chain clauses to every new vendor contract and renewal.
  • Ask the 10 vendor questions above at procurement and annually.
  • Track vendor patch SLAs and escalate misses.
  • Monitor public advisories for your key suppliers and their dependencies.
  • Run a tabletop exercise for a supplier breach once a year.

FAQ

Do I really need an SBOM from every vendor?

Start with the software that touches sensitive data or runs critical business processes. That is usually 5 to 10 suppliers, not 200. Once the process is running, expand it.

What if my vendor has never heard of SLSA or VEX?

That is useful information. If they cannot describe their build integrity or vulnerability triage process, they probably are not doing it systematically. Push for basic controls first: signed artifacts, documented patching SLAs, and a published security page.

Are open-source dependencies riskier than commercial software?

Not inherently. Commercial software often embeds the same open-source libraries. The risk is visibility. Open-source projects may have fewer formal security processes, so you must do your own scanning, pinning, and verification.

How much should I spend on this?

Most of these controls are process changes, not new purchases. SBOM collection, contract clauses, and the questionnaire are free. Scanning tools range from open-source to paid per developer. Budget for the tools that cover your highest-risk dependencies first.

Conclusion

Supply chain risk is not an enterprise problem. It is a business survival problem, and Australian SMBs are squarely in the target zone. You will not eliminate third-party risk, but you can make your suppliers prove what they run, how they build it, and how fast they patch. Start with the checklist and questionnaire in this post. Add the contract clauses at your next renewal. And if you want an independent review of where your supply chain exposure sits, visit consult.lil.business for a free cybersecurity assessment.

References

  1. Australian Cyber Security Centre: Supply Chain Security
  2. NIST: Software Supply Chain Security Guidance
  3. SLSA Framework

Verifier warning: verifier could not run (PluginLlmTrustError).

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation