3

I don't personally have the resources or authority to audit for security issues all of the third-party services and companies I might want to use or be forced to use by business circumstances. How then can I learn more about their security track records?

Molly Stewart-Gallus
  • 131
  • 5
  • You mean you are looking to replicate the measures you take to audit the safety records of all the companies involved in a chain when you buy a tomato? – techraf Jul 13 '16 at 01:32
  • @techraf Well that's the trouble right? I can't do that and it is entirely unreasonable to do that. I just want to know if the core services I use have any poor history of handling security. – Molly Stewart-Gallus Jul 13 '16 at 01:35

2 Answers2

2

Preface: Without insider knowledge, it is equally likely that a company with security incidents in the past:

  • is better prepared for the future
  • will continue to have problems in the future

While an analysis of company's response to a security incident might reveal some clues about their preparedness, it can also indicate strengths or weaknesses in areas other than security itself (mainly public relations). It extends to the frequency, severity, response time.

Without full insight their assessment might lead to wrong conclusions.

Personally, I would put most trust in a company/team/system with a significant, decreasing number of well-handled near misses--an information that won't be officially publicised (unless in retrospective).

Where do I start to learn more about a given company's or software solutions' security track record?

This question boils down to "how do I choose a business partner in a free-market economy?" If you are concerned about the security, you start by:

  1. navigating to the main page of an Internet search engine (like duckduckgo.com, google.com, bing.com)

  2. typing company_name security into the search field

  3. important clicking on the News hyperlink above the search results

  4. reading media reports related to the company, service, product in question, taking into consideration reports from the entities you trust most

  5. iterating with different search queries: company_name breach, company_name safety record, service_name security, product_name security etc.

In short (and in theory) in a free-market economy it is the role of independent media to gain the information (including insider) and present to the public with an analysis. It is however up to the public to whom it trusts.

techraf
  • 9,159
  • 11
  • 45
  • 63
0

There are several different indicators of security health you can look for.

Most notably do they publish information publicly about their security patches? Can they provide you with the results of their most recent penetration test or results from a static code analysis ? How often do the test their systems and software ? Can you find any CVE's related to the software in question and if so how long did it take for the company to respond and the patch to be created ? In addition to techraf's advice about searching for the company name and a few security terms also see if their are any lawsuits against the company, you can do this by searching "vs. company name". Does the company have a formal security website, e-mail, or process for reporting security issues ? Are their any independent or industry forums where people talk about working with the companies software ? can you search this site for security issues ? In some cases you can also ask a company for a copy of their security policies which may or may not give you indications of their maturity levels. Some companies will even let you talk to their security team directly if you ask. etc...

If the company is a Software As A Service (SAAS) platform can you find any threat intelligence information about their IP's ? (possible free or via a commercial service). Likewise there are a lot of simple tests to see how well maintained their web security is, ciphers used, web server security headers configured on their webserver, pki details, certificate pinning, etc. You could take a penetration testing proxy like Burp Suite pro and "passively" surf the website and see what kind of security issues arise (be careful and do not scan them without permission, also please don't do this if you aren't really familiar with the tool either).

If you find any issues see if you can determine how long those issues have been present too. Was it a bug that the Internet as a whole took care of a few years ago ? or something that came out this morning ?

If you continuously watch your vendors one fun thing to watch is patch frequency. Even on websites or the applications they use you can almost always find version information of some kind and check if that's current and watch to see how long until the company updates things. If you script this you can create patching graphs to determine how active they are about things. It's a very useful health metric.

Ultimately there are problems with all of these methods which you will have to understand to make a good decision. Just having a lawsuit against a company doesn't mean it's bad at all. Google search results for security don't indicate if the issue was handled professionally or poorly. And angry people on the Internet may say bad things which may not even be true. So when focusing on these things see if you can detect indicators of maturity in their program and also signs of quick responses to issues. Every company will eventually have bad days but whether or not they learn from it and mature is what becomes important long term.

You can also hire companies to do vendor security analysis for you. I'm frequently hired as a penetration tester to test all sorts of third party applications and software which are used in a wide variety of ways. If you just want fast results someone who does that professionally can probably get to the critical information a lot faster too.

Without more information I can't specifically tell you what to test but hopefully this information and the comments by techraf will help.

Trey Blalock
  • 14,209
  • 6
  • 45
  • 49