When the Weakest Link Isn't Human, It's Your Vendor

In the last year, data breaches due to third-party security incidents have surged by as much as twice, according to the 2025 Verizon DBIR. As supply chains become increasingly complex and organizations depend on dozens of vendors, if not hundreds, for essential tools and services, the likelihood of a security loophole rises significantly. It is no surprise that, according to securityscoreboard "35.5% of all breaches in 2024 were third-party related. This figure is likely conservative due to underreporting and misclassification".

It is no longer far when the weakest link in cybersecurity, humans, will be replaced by vendors we trust. According to IBM's 2023 Cost of a Data Breach Report (Ponemon/IBM), the average cost of a vendor-related breach is USD 4.3M. We all know how one security incident can cause a nightmare that not only impacts company reputation, customer trust, but also investor belief, share prices, and finances negatively.

At Quince, where Customer First is a guiding value, we take this personally. Every vendor we onboard ultimately touches our customers' data and trust — directly or indirectly. Protecting that trust means looking far beyond the paperwork.

The Gap: Why Traditional VSAs Fall Short

There is no doubt that every company should evaluate the security of its third-party vendors, but the real challenge lies in how to make the complete process scalable, how to make sure it is done for each and every vendor, and most importantly, how to make it effective beyond just paperwork.

Traditional VSAs, where collecting a simple VAPT report, SOC 2 report, or ISO certificate, and completing long VSA questionnaires, are not just sufficient. They do not give the real picture. These documents are just a "snapshot in time." They show that once a company met specific controls, but not the current picture. By the time these reports are collected, things might have changed in the vendor's infrastructure drastically — new integration might have come up, data workflow might have gone through modification, controls bypassed due to tight deadlines or business pressure.

Modern businesses largely thrive on integrations, APIs, SaaS platforms, and shared data pipelines. But with every connection there comes inherent risk. We know that a single unpatched service, an exposed token, or a misconfigured endpoint can provide attackers with a backdoor into the infrastructure, and these reports and questionnaires also do not tell how well, securely a vendor integrates with the system. This becomes really critical as most of these security incidents stem from how well and securely the integration is done.

Security is a continuous process; the landscape is dynamic, but these reports are just static.

Attackers don't care about compliance frameworks; they look for misconfigurations, weak tokens, unmonitored endpoints, and forgotten test accounts. SOC 2 won't find those; a hands-on integration test will. These long VSA questionnaires follow the approach of "same size fits all," designed for all vendors of any size, business, services they provide, and client data they handle. Such a questionnaire can confirm compliance, and it is good to have, but it does not guarantee (though in security, nothing is 100%,) but only validation can confirm security.

Risk is real, loopholes are real, so security assessment should also be real.

VSA: The Quince way

We also faced the same challenges and realized that we didn't want a process that only looked good on paper. We wanted to change traditional VSA to make sure it is scalable, compliant, continuous, and comprehensive.

We evolved our approach from a traditional VSA to a comprehensive, in-depth, and multi-layer VSA. The first step was to make it a mandatory gatekeeper where no single vendor/tool gets onboarded without going through a security review and approval. We achieved this by integrating security review and approval as the required step before it goes to the next stage of vendor onboarding. Now it comes to the point of a Vendor Security Questionnaire.

One Size Doesn't Fit All: Tailoring VSAs by Vendor Type

In Quince, we, too, like most of the organization, follow a VSA questionnaire, but it varies vendor to vendor depending on several factors:

• The type of service the vendor provides (e.g., SaaS, infrastructure, logistics, or analytics).
• The level of system integration with Quince's environment.
• The sensitivity of data handled, such as customer information or internal credentials.
• The nature of access, whether the vendor connects via API or SSO.

Once answers to VSA questionnaires, reports, and evidence are submitted, we evaluate and decide the next step.

The above VSA questionnaire is internally categorized into 2 categories: mandatory and recommended.

• Mandatories are essential and must be met for vendor approval
• Recommendations are good to have to enhance the vendor's security posture.

If any of the mandatory checks don't meet, onboarding halts. Vendors are given a reasonable timeline to build the security controls or guardrails. There are situations where onboarding can't wait due to business priorities, some exceptions in a tight deadline, late submission, in such cases, conditional sign-offs are given, but only with business and legal approval, and with a clearly defined timeline for remediation to the vendor to build the security control within a specific time period.

Closing the Gap Between Answers and Reality

The questionnaire also involves the assessment of the integration setup. But as we have learned above, the answer can confirm compliance, but validation can confirm security. This is where Quince goes beyond the industry norm. Most organizations stop at policy reviews and document collection. We take it further; our security engineers validate the tools and integrations, whether they are configured securely before and after production access is granted. For example, we verify that vendors correctly implement OAuth or SAML SSO, enforce proper role-based access control (RBAC), and follow strong secrets management practices.

Misconfiguration in setting up the tool, insecure integration of the API, open wide public login portal, and weak authentication mechanisms account for nearly one-third of data breaches in 2024. This is what traditional VSAs won't answer and prevent you from, and this is what we target to achieve from Quince VSA. Not just external stats prove that this is a goldmine area leading to data breaches, but our internal exercise reveals more or less the same.

In one case, our assessment found that a vendor's API lacked proper authorization checks. By simply changing a client or reference ID in an API request, it was possible to pull data belonging to other organizations. In another instance, we discovered hardcoded API keys exposed within a public JavaScript file, a small oversight that could have given anyone access to sensitive information. Through this, we not only protected ourselves but also all of the vendor's clients, and in the process, we raised the bar of security of the entire external ecosystem. That's what Customer First looks like in practice: when fixing a vendor's issue protects hundreds of other companies too.

One of our biggest challenges was bandwidth. Thorough vendor security assessments take time and people. So, we decided to tackle it head-on by automating key parts of the process using smarter tools and data-driven insights to scale without losing depth or rigor. That's how we made the process scalable without compromising depth — a true Bake-Your-Cake-and-Eat-It-Too moment. Some (not limited to) examples are -

1. We built an internal CIA-based risk engine that scores each vendor on confidentiality, integrity, and availability impact, then auto-assigns a risk tier and control set. What used to take 45–60 minutes of manual review per vendor now takes under 10 minutes of validation, saving ~40–50 minutes of security time on every onboarding.
2. We also added automated reminders and follow-ups for questionnaires, missing evidence, and overdue remediations. This removed most of the back-and-forth emails and spreadsheet chasing, cutting manual follow-up effort by ~70–80% and shortening the average completion cycle by 3–4 days.

Security as Culture, Not Compliance

The evolving landscape, complex supply chain, and increasing dependency on vendors will keep on increasing the potential third-party risk, and hence VSA shouldn't be just confined to reports, paperwork, theoretical process, or checklist, and this is what we have learned. Zero trust should be applied everywhere — true assurance doesn't come from paperwork or reports but from validation, collaboration, and accountability. We at Quince have turned VSA from a formality into a culture. And that culture is what will define secure organizations in the years ahead. Our VSAs are more than a gatekeeping step; they're a reflection of Quince's values:

• Customer First: Protecting customer data by holding every vendor to our standards.
• High Quality: Extending our product quality ethos to our technology and partners.
• Relentless Improvement: Continuously refining our processes and learning from every review.
• Technology First: Automating wherever possible to scale responsibly.
• Fair & Transparent: Working with vendors as partners, not auditors.

Since security is a continuous process, we continue working towards strengthening the security of our infrastructure and apps through tools and processes. Keep following us to know more about them. Stay tuned!

Want to be part of that mission? We're hiring! Check out our open roles here.