Vendor Reliability Questionnaire
Goal: Produce a basic questionnaire that an enterprise could send to an application vendor that wants to provide them with a Modern On-prem application. This is designed to be similar to the Vendor Security Questionnaires that are in use today.
Prerequisites & Provisioning
Questions in this section are designed to help the enterprise understand the requirements of the application, and if the application can be deployed to existing hardware, new “standard” hardware (the enterprise defines “standard”), or requires anything unusual for the enterprise. This includes both hardware, non-bundled software, and training of systems and processes.
- Does the application require specialized hardware?
- Does the application run on Linux, Windows or either?
- Will the application run on a security-hardened Linux?
- Can the application run on any cloud provider? List the cloud providers it can run on.
- Does the application require specific cloud provider resources (Redshift, ECS, etc.)?
- Can the application run on Kubernetes?
- Can the application run in any namespace?
- What RBAC permissions will be required outside of the namespace?
Installing & Configuring
Questions in this section get a little more specific about how the application is delivered. This section is designed to help the enterprise understand what the vendor is responsible for and what the enterprise will be responsible for. Additionally, it helps the enterprise start to understand how they will be able to edit the installable assets to make them compatible with existing systems (networking, workflows, etc.).
- What methods can be used to add secrets at configuration time?
- What secret stores does the app support at runtime?
- Does the application create its own TLS certs?
- Will the application run with certs generated from an enterprise CA?
- How does the application handle renewal of TLS certs?
- If K8s, is the K8s YAML exposed for editing or patching?
- Is the SecurityContext configurable?
- Is it possible to tune liveness and readiness probes?
Updating & Upgrading
Questions in this section help the enterprise understand the cadence and process (i.e., effort) that will be involved with each update. Frequency of updates and delivery mechanism will build on questions asked before, and the goal of questions here is to help the enterprise understand and plan for resources required to keep the software up to date.
- Zero downtime updates?
- How will updates be applied?
- How are update notifications handled? Git PR?
- How are container images delivered?
- Can images be retagged and pushed to a local registry for security scanning?
Operating
Questions in this section help the enterprise understand the day-to-day operational tasks they will be responsible for managing. All software requires some routine operational tasks, and some can be delivered as automated tasks, while some are manual efforts. When planning for resources required to run software, the enterprise should budget for any routine (daily, weekly, monthly) manual tasks that require intervention to keep the system running properly.
- What regular tasks are required to maintain steady-state operation of the system?
- What is required for database maintenance?
- How do you facilitate user cleanup?
- Are there caches that must be purged manually?
Inter Service Communication
- Do all internal api interfaces require authentication and authorization? Communications leveraging MTLS? Leveraging a service mesh?
- Does your application operate with the principle of least privilege? - Always create a user, never run as root?
Testing
- What automation scripts can be provided with the application to load test after installation?
- How is an installation verified to be running properly?
- What automated post-installation conformance testing tools are provided?
High Availability
- Does the application support multi-region deployments?
- Does the application support multi-cloud deployments?
- Which components cannot be clustered or rely on single instance?
Observability (Monitoring, Logging, Tracing)
- What logging destinations (file, stdout/err, etc) does the application support?
- What volume of logging data is generated by the application?
- Does the application support structured logs?
- Does the application support unstructured logs?
- Are secrets and PII and sensitive information excluded from logs?
- What’s the default log level of the components?
- Can the log level be changed without restarting the application?
Storage & State
- Does the application support BYO State (db, object, block)?
- How is the database configured (db engine parameters)?
- How are schema migrations applied to the database during upgrades? Can this be rolled back? Are these idempotent? Do these require downtime?
- How are data migrations handled in the application?
- Where is all data stored?
- What data leaves the deployed system and is sent to third parties (including the vendor)?
- Does the application require shared access to block storage?
Troubleshooting
- How will you troubleshoot the system without remote access if something isn’t working properly?
- Can recent diagnostic information be collected if an error or downtime event is reported?
Networking
- What ingress options are required?
- Which services require ingress, or IP/DNS that are accessible from outside the cluster?
- Does the application require a subdomain or can it be deployed on a path?
- What external endpoints are required to be accessible for the application to start?
- What external endpoints are required to be accessible for the application to run?