No matter what solutions you look at to help secure your network you need to ensure that whatever ones you select do not undermine your existing security or introduce new vulnerabilities o r problems. This is true no matter if that solution is proprietary software, open source based, an appliance or indeed a service.
The problem many face when selecting solutions is that vendors will tell you all about the strengths of their product, how many awards it has wonand show you the glowing reviews it has received in various magazines. Not to mention the FUD (Fear Uncertainty and Doubt) factor that they rely heavily on and will push anytime they think you may be wavering.
If you want to get beyond the hype and ensure that the company you are dealing with do indeed understand security and have a secure product then the following are some questions that I have found to work;
- How do you know your software is secure and that it won’t introduce vulnerabilities into my network?
What you are looking for here are details on whether or not security is embedded in the development life cycle for the solution. The earlier it is in that cycle the better. You are also looking to see what testing practises they use to ensure the product is secure and what integration testing they have done with other vendor products.
- During the software development life-cycle when do you review security?
You would expect a vendor in the security space to have security reviews of their product at each stage of the development life-cycle and not simply at the end.
- What methodologies do you use for testing the security of your products?
A vendor that is serious about its products will have a structured methodology to test their product.
- Do you use automated tools for security testing your code or code review?
Ideally the vendor should be using both methods to catch any security bugs in their software
- What training does your development and testing teams receive in relation to application security?
A vendor serious about security will ensure that all members of these teams will have taken specific training courses in relation to application security. Simply attending a coding course and hoping that security is part of of the curriculum is not sufficient.
- Do you have a dedicated team to assess and respond to security vulnerabilities in your products?
If a vendor does have such a team in place they are acknowledging that no-one can produce a 100% secure product but have put the resources together to ensure any bugs or issues found will be addressed in a structured way.
- What is your vulnerability management process?
This is related to the above point and if the vendor has this process in place you can have some confidence that they will address vulnerabilities found in their products.
- How do you information customers of security vulnerabilities?
What you would expect here is that the vendor has a process in place to ensure its customers are made aware in a responsible manner of potential security vulnerabilities in their product. As a customer you would not expect to hear about a major vulnerability in a product from the press rather than the vendor.
- What is your patch management process?
Once a patch has been identified for a particular vulnerability how will that patch be sent out to customers and how can I as a customer distribute that patch? Will I need to do it manually or is there an automated process to receive and/or distribute that patch.
- For update services how does the vendor ensure it is secure and malicious code cannot be injected into that process?
The vendor should have appropriate measures in place to ensure their distribution servers are not compromised by third parties and there no unuathorised code can be injected into the update process. Also the client should be configured to only receive updates from certain sites via a secured and authenticated connection
- How many dedicated people will I need to deploy and manage this solution?
This is something often overlooked by buyers who will later discover the cost of managing and supporting the solution can far outweigh any of the benefits it brings.
- What training do you provide for my staff on this product?
Training should be an important part of the solution, I suggest looking for an ongoing training arrangement as the solution will change over time and indeed your own staff may change.
- What protocols does your product use to communicate?
Make sure the solution does not use any insecure protocols such as FTP to transfer data.
- What security standards does your product adhere to?
You should only engage with vendors who use open and peer reviewed security standards for their products.
For Service Providers I would include all the above and include the following
- How do you protect my companies data from being accessed by any of your staff and/or other customers?
You should expect that your data is encrypted and only accessible to you. I have refused to deal with some providers who told me to trust them that they are secure but cannot share that security information with me. If you are secure you should be able to discuss those security features in an open way and be subjected to peer review.
- Should I lose my key or passphrase to my encrypted data can the vendor recover that data?
Related to the above the answer should be a resounding no.
- Is your service certified to a recognised standard such as ISO 27001?
Ideally the vendor should be certified to an international information security standard, such as ISO 27001:2005. Be careful though to ensure the scope of whatever standard the vendor claims to be certified to applies to the product, service or location that you are getting the solution from.
- If not certified to a standard than are your services regularly audited by an independent third party?
If the vendor is not certified and does not have publicly avaialble third party audits available to you then this would be a cause for concern. If you want to continue to use this service then insert a clause in the contract that you can conduct regular audits on the service.
The above are some key questions that I suggest you use next time you are talking to a security vendor. I am sure I have missed some other good questions. If you can think of any then please do share them via the comments.