Over the past few years, we have seen hacking and data breaches increase in both severity and frequency. Results of the attacks are far reaching – from stolen personal and company information to election tampering. It goes without saying that none of us want to join the growing list of exploited companies or individuals, but it’s difficult to evaluate the security capabilities and position of software and software companies. In this blog, I outline some options on how to assess the software and software vendors that supply solutions we use every day.
The first step is to look at the mechanics of software security, which revolve around three basic threat vectors: software vulnerabilities, process vulnerabilities and physical access vulnerabilities.
- Under software vulnerability, particularly cloud or web-based applications, we have exploits such as Cross Site Scripting (XSS), malicious web sites phishing for user’s accounts and content via Cross Site Request Forgery (CSRF) and malicious users attacking data storage systems via SQL Injection.
- Process vulnerabilities consist of open IP ports or exposed access points that provide hackers access to internal systems, data and the resources. Also included are phishing attempts targeting users of software to give up credentials or supply authenticated access to restricted systems.
- Finally, holes in physical security around operations centers and hosting/cloud installations could provide additional access vectors to uninvited hackers.
At first, it may seem overwhelming to defend against all the potential threats. But one of the best tools you have to understand the software and SaaS providers your company utilize is to just ask the right questions! Here are some checkpoints to use as you evaluate a software provider or SaaS/Cloud provider:
- Ask your software provider for their Application Penetration Test results. Third-party auditors are often used to conduct security vulnerability tests against the software and hosting systems. Results of these tests can be shared with customers and provide important insights to the overall security of the software or environment in question.
- Ask for relevant reports covering security standards such as SOC 1/SOC2, ISO 27001/27002 or SSAE16. These reports of compliance with security standards should reflect the organization’s commitment to operational security compliance as well as their commitment to remediating any issues found.
- Ask about the Software Development Lifecycle (SDLC) process. The SDLC should include the use of security scanning tools, including dynamic scans and static scans of the software.
- Ask how the product architecture and the deployed architecture reflects best practices when evaluating SaaS offerings. The deployment architecture should provide data encryption in-transit and data encryption at-rest as well as fire-walled separation of presentation, business logic, and data tiers to provide maximum security for customer’s data.
- Ask how the security team keeps up to date with security information, patch data, recent exploits as well as the remediation plans. Security is a rapidly evolving topic of news and information and your software should be as well.
- Ask your service provider about their security remediation policies, their data sources for vulnerability information and the level of internal staffing dedicated to managing the different levels of security for SaaS products. Your goal is to find a provider that takes security as seriously as you.
Managing Software security can be a full time job to stay on top of new exploits, the proper remediation and the current best practices. Your software/hosting provider can be your best partner when it comes to maintaining your data security. Just ask!