Skip to content

Universal Security Conditions

Conditions versus controls

A control is something you check off. It passes or it fails, it lives as a line in a spreadsheet, and half the energy around it goes into arguing the spirit of the control rather than the state of the system. A condition is a different kind of object. It is something you cultivate and keep alive, and it has no passing grade. The security posture of a Software Factory is a set of conditions you tend. Like anything living, they start to degrade the moment you stop tending them.

Your strategic position tells you how to tend them. A Craft shop and a Lean enterprise cultivate the same conditions with very different tools, budgets, and timelines. The conditions themselves do not move with size, stack, or industry. They are what every Software Factory has to keep alive regardless of where it sits on the map, which is why this section comes before the positioning work and not after it.

There are four conditions you can hand to a team, and one you cannot.

The five universal security conditions Four conditions you can staff, drawn as four pillars: Supply Chain, marked number one and the loudest; Third-Party; Process; and Runtime. Each pillar names the question it asks and its lever. Supply Chain asks what is inside what I shipped, with the lever of comprehension. Third-Party asks what I handed off and who holds the bag, with the lever of containment. Process asks whether the way we build produces security or bolts it on, with the lever of feedback. Runtime asks whether we can sense what production is doing now, with the lever of observability. Spanning all four runs a band, Adaptive Capacity, the one condition you cannot staff: whether the system as a whole can absorb a surprise it was not designed for and keep working. It runs across the other four rather than beside them, the resilience of the whole system. You assess it; you cannot hand it to a team. Conditions you cultivate and keep alive Four you can staff. One you cannot. #1 Supply Chain What is inside what I shipped? Comprehension SBOM, provenance, signing, pinning the loudest Third-Party What did I hand off, who holds the bag? Containment blast-radius limits, shared responsibility Process Does the way we build produce security? Feedback security arriving while the work happens Runtime Can we sense what production does now? Observability detection, response, recovery functions you can name, staff, and put on an org chart Adaptive Capacity · the fifth condition, the one you cannot staff Can the system absorb a surprise it was not designed for and keep working? Runs across all four as the resilience of the whole system. You assess it; you cannot hand it to a team.
Four conditions you can name, staff, and put on an org chart, plus Adaptive Capacity, the resilience of the whole system, running across all four. You assess the fifth; you cannot hand it to a team.

The four you can staff

Condition Kind The question it asks The lever
Supply Chain (#1) Domain Do I know what is inside what I shipped? Comprehension: SBOM, provenance, signing, pinning
Third-Party Domain Do I know what I handed off, and who holds the bag when it fails? Containment: blast-radius limits, shared-responsibility clarity, failover
Process Mechanism Does the way we build produce security, or bolt it on afterward? Feedback: security arriving while the work happens, ahead of the end-of-cycle review
Runtime Domain Can we sense what production is doing right now and respond before a user does? Observability: detection, response, recovery

These four map to functions you can name, staff, and put on an org chart. That is deliberate. A condition you cannot assign to anyone is a condition nobody tends.

The four are not the same kind of thing. Supply Chain, Third-Party, and Runtime are domains, a scope of risk you can point to: the code you pulled in, the services you handed off, the system running now. Process is a mechanism: the way those domains get built, which is why a pipeline that emits provenance tends Supply Chain for free. Adaptive Capacity, further down, is a third kind entirely: a property of the whole system, not a domain or a mechanism. The numbers label three different kinds of thing on one list, and tempo is the only ranking the list carries, which is why Supply Chain leads. A domain, a mechanism, and a system property do not belong on the same maturity scale, so read the column before you build a scorecard.

Supply Chain and Third-Party are not the same condition

They look like one thing. They are not, and the line between them is where a lot of programs quietly fail.

Supply Chain is what you pull in: third-party libraries, base images, sidecars, the code you embed and then ship as if it were your own. Once you embed it, the liability is yours. You can also do something about it, because the artifact is in your hands. You can read it, generate an SBOM, sign it, pin it, rebuild it. Supply Chain is soil: you can amend it. The way it fails is that you did not look.

Third-Party is what you hand off: the payments processor, the data warehouse, the identity-verification provider, the cloud, the SIEM. Some of these are infrastructure; others are core to how your product delivers value at all. You delegate the function, and a shared-responsibility model splits the work. A contract can shift the legal liability to them; it cannot shift the responsibility, and no certificate hands it back. Compliance is a market-access key: a vendor earns FedRAMP to unlock the federal market, and its attestation retires none of your risk. You still have to do your part and trust they are doing theirs. You cannot directly inspect or observe what they run. Third-Party is weather: you cannot change it, you can only prepare for it. The way it fails is that they got breached and you inherited it anyway.

Lumping both under "supply chain" because the word has stretched to cover everything external is the move that hides the seam. The two conditions take different muscles. One is a comprehension problem: you embedded something and never read it. The other is an opacity problem: you delegated something you cannot directly inspect, and no contract or certificate changes that. Keep them apart on the page so they stay apart in the work.

Supply Chain versus Third-Party: embedded-in against handed-off Two conditions side by side that look like one. Supply Chain, on the left, is what you pull in: libraries, base images, and sidecars you embed and then ship as your own. The artifact is in your hands, so you can read it, generate an SBOM, sign it, and pin it. It is like soil: you can amend it. It is a comprehension problem, and it fails when you did not look. Third-Party, on the right, is what you hand off: payments processors, data warehouses, identity providers, the cloud, the SIEM. You delegate the function under a shared-responsibility model and cannot directly inspect what they run. No contract or certificate hands the risk back. It is like weather: you cannot change it, only prepare for it. It is an opacity problem, and it fails when they get breached and you inherit it. Two distinct conditions The line between them is where a lot of programs quietly fail. Supply Chain what you pull IN embed it, ship it as your own libraries · base images · sidecars The artifact is in your hands: read it, SBOM it, sign it, pin it. Soil: you can amend it Comprehension problem Fails when you did not look. Third-Party what you hand OFF delegate it, depend on it payments · warehouse · cloud · SIEM Shared responsibility splits the work. No certificate hands the risk back. Weather: you prepare for it Opacity problem Fails when they are breached and you inherit it anyway. Lump both under "supply chain" and you hide the seam. Different muscles: one you read, the other you cannot.
Supply Chain is what you pull in and can amend, a comprehension problem. Third-Party is what you hand off and can only prepare for, an opacity problem. Lump them together and you hide the seam.

Supply Chain is still the loudest

Of the four, Supply Chain has been the one to watch for years, roughly since 2017, when adversaries moved discovery to automation at internet scale and started finding vulnerable dependencies faster than defenders could inventory them. This is a matter of tempo. Supply Chain does not matter more than the rest; it degrades faster and gets exploited sooner, so it earns first call on attention and budget. Treat it as the default #1 and argue yourself down from there if your context warrants.

The one you cannot staff: Adaptive Capacity

The fifth condition does not get a team, and that is the point.

Adaptive Capacity is whether the system as a whole can absorb a surprise it was not designed for and keep working. It is the old Continuous Learning idea, finally named for what it actually is. The other four conditions each map to a function you can put on an org chart. This one does not. It is closer to the resilience of an ecosystem than to anything you could install or assign. The capacity of a living system to take a shock, a drought or a new predator, and reorganize without collapsing is spread across the whole web rather than held in any single species or place. It is never finished, because the system and the things stressing it keep changing against each other. You assess whether the system has this capacity. You cannot hand it to a team.

It runs across the other four rather than beside them. A healthy Adaptive Capacity shows up as blameless post-incident review that changes something, as feedback loops that shorten, as the organization sensing a shift in the threat landscape and adjusting before it gets hit rather than after. When it is missing, the other four can each look fine on a maturity chart while the system stays brittle, because nothing is teaching it to bend.

This is the condition that carries the framework's resilience thinking, and it is the seam where this base framework meets the Coadaptive Security layer. The idea comes from ecology. A system survives shocks when it can reorganize as new ones arrive, and that capacity lives in the whole web rather than in any single part. Security works the same way. Certify a system once and trust it to hold, and it falls behind, because the things trying to break it keep changing while it stands still. Adaptive Capacity measures whether the whole system is still adapting faster than its adversaries. That is the question worth asking.

How the conditions hold each other up

The conditions are coupled, and the coupling is where leverage hides:

  • A weak Supply Chain condition rarely announces itself in Supply Chain. It surfaces at Runtime, as the incident you trace back to a dependency you never inventoried.
  • Process is where the other conditions either get cultivated or get skipped. A build pipeline that produces provenance is tending Supply Chain for free.
  • Third-Party failures are bounded by Runtime containment. The vendor breach you survive is the one whose blast radius you limited in advance.
  • Adaptive Capacity is how all four improve at all. Without it, you are just repainting the same four walls on a fixed cadence.
Adaptive Capacity as the emergent output of the four conditions and their seams A convergence diagram. Across the top sit the four conditions you can staff. Supply Chain, Third-Party, and Runtime are marked as domains, a scope of risk you can point to. Process, set apart with a gold border, is marked as a mechanism: the way the other three get built. Between the conditions sit three seams, small gold diamonds, the couplings where a weakness in one condition surfaces in another. Arrows flow downward from all four conditions and from the three seams into a single wide node at the bottom: Adaptive Capacity. The diagram presents Adaptive Capacity as the emergent output of the whole system, produced by the four conditions together and by the seams between them, rather than as a fifth peer beside them or a foundation beneath them. You assess whether the system has this capacity; you cannot hand it to a team. How the fifth condition emerges Adaptive Capacity is what the other four conditions, and the seams between them, produce together. Supply Chain domain Third-Party domain Process mechanism Runtime domain Adaptive Capacity The emergent output of the four and their seams. You assess whether the system has it. You cannot hand it to a team. seam: the coupling between two conditions, where the leverage hides
Adaptive Capacity is a different kind of thing from the other four: the resilience of the whole system, which you assess but cannot staff.

Invest where a single move strengthens more than one condition at once. Those are the moves worth sequencing first.

Universal conditions, local implementation

The conditions are universal. How you cultivate them varies.

A three-person Craft shop and a five-thousand-person Lean enterprise both have to tend Supply Chain, but one does it with a single well-chosen managed scanner and the other with a platform team and a paved road. The Strategic Positioning section is how you decide which version of "tending" your organization can actually sustain. Read the conditions here as the what. Read positioning as the how.

Naming note (v0.5 → v0.6)

In v0.5 this section was "Universal Risk Stewardship Responsibilities," organized as five areas you steward. v0.6 reframes them as conditions you cultivate, splits the old Supply Chain area along the embedded/delegated line, and recasts Continuous Learning as the cross-cutting Adaptive Capacity condition. The migration crosswalk maps every old name to its v0.6 home.

Next Steps

Start with the condition that degrades fastest:

Supply Chain (#1) Third-Party Adaptive Capacity


Back to Foundation