Security Risk or Feature Request – Software due diligence – who controls your reputation?

If you can think of a business process nowadays, there’s probably either an outsourced service or off the shelf piece of software that will perform it for you. As part of any outsourcing arrangement, due diligence will be performed. However, what happens when you buy a piece of software?

If an organisation suffers a data breach thanks to an outsourcing partner not living up to their part of the bargain, there’s always the potential to mitigate reputational damage through plausible deniability. However, when you install and manage a piece of software, whatever happens is all your fault, so what can you do to make sure that software vendors take your reputation as seriously as you do?

Security Testing – In an ideal world, software would undergo a rigorous testing regime. Back in the real world though, software will usually undergo an element of functional testing with security testing either being an afterthought or the end user’s problem. Before you buy software that your trusting with your reputation, ask the vendor for their most recent security testing results. If they try to make it your problem, look elsewhere. If they are an open approach (CANVAS LMS is a good example here), stick with that vendor and don’t let them go.

Remediation Process – Ask the vendor for their documented process for actioning vulnerability reports. If the vendor shows your a full process documenting risk assessment and communication procedures including a liberal sprinkling of response timelines, give them a tick in the box for this one. If they give you a blank look, their competitors may want to help you.

Do your own testing – So, if you’ve found the unicorn that is a vendor taking information security seriously, why would you want to do your own testing? Penetration testing arranged by a vendor will often take place in a sterile environment that doesn’t necessarily resemble the real world. A real world configuration may introduce previously undiscovered flaws.

Show me – The cynical part of me strongly believes that if a vendor smells a sale, they’ll. tell you whatever you want to hear, so don’t take them at their word, have them show you that they take the security of your customers’ data seriously.

Performing due diligence is just as important for COTS that could have an impact n your sensitive data as it is for an outsourcing partner. Above all else, if you find a vendor who uses the term “Feature Request” instead of the more commonly used “Urgent Security Fix” run away as quickly as you can – they’re not taking security of your information as seriously as you are!

[FAQ] Security Considerations for Customised Off The Shelf (COTS) Product Security

Introduction

There are a number of elements that relate to the early stages of the Software/System Development Lifecycle (SDLC) that should be considered in regards to security. Unfortunately, for a number of projects, our company becomes involved at the final stages of the process, which often results in highlighting a lack or ineffective due diligence at the early phases. It is difficult to manage a project where the software is found out to be inherintly insecure and often leads to excessive launch delays, greatly increased budget requirements for additional resolution or even an outright cancelling of an expensive project.

While many people hate the analogy of “buying a car” when it is applied to IT, it is actually particularly relevant for product selection. In both cases, you have to be wary of products being rebadged, inferior internals within the product, whether it performs well in a test drive, an inability to easily conduct ongoing maintenance and poor after-purchase support.

Surely if I bought a product from a large software vendor everything would be fine?

A product that carries the supposed weight of a large multinational corporate has absolutely no bearing on its quality. Keep in mind that large corporates typically tend to conduct company acquisitions today rather than gamble on developing a product from scratch internally. The quality of the product is usually directly dependent on the company who authored the software – whom you may not have even heard of.

Continue reading

Annoucement – New Partnerships

Securus Global is pleased to announce that we have entered into relationships with the following respected security product providers.

  • Rapid 7 (Vulnerability Assessment and Management)
  • Imperva SecureSphere Data Security Suite (Web Application Firewall)
  • Whitehat Web Application Security (Web Application Automated Scanning Services).

We recognise that our clients will decide at some stage to purchase such products and services, but the value proposition we present as opposed to just a product sales company is that our focus is security, and not a desire to sell you something that is not going to provide value for you. Our clients who are buying these services from Securus Global buy them from us and not from product resellers because they know Securus Global gives them the facts about the limitations of tools, while also assisting our clients in developing better solutions around tools. Nothing is just ‘plug and play.’ Working with us means you’ll get the value from your investment.

These join;

  • QualysGuard Vulnerability and Policy Compliance
  • Tripwire Configuration Audit and Control
  • Immunity Silica and CANVAS exploitation tools
  • CardRecon Credit Card Scanning

Please email us at info@securusglobal.com or call Sydney on 02 92830255 or Melbourne on 03 9620 9209 if you require any information on any of these products

More information on all of these products is also on our website; http://www.securusglobal.com/products/