Know Your Product's Security Capabilities

Posted by Adam Ely
August 16, 2010

To build-out enterprises we utilize technologies in all forms. From the routers that shape the network to interrupters that understand the software powering our web servers, third parties have a hand in how secure our enterprise is. It is important when selecting third party technologies that security be kept in mind but we don't always get much of a choice. If we need a desktop operating system, we are pretty limited. If we need a widget for our website, however, we have more options.  No matter the technology, ask the questions that matter to you around security. While you may not get all the answers you want, you will at least understand the risk better and be able to make better solutions in the long run.

Recently, I had to review a product from a vendor. There was only a handful of players in the highly specialized space, and only one vendor who could offer what we needed. I was fortunate that they had thought about security and met most of the requirements I had for this technology. The requirements they couldn't meet were less of an issue since I at least understood what they could and could not do. Even though the risks couldn't be eliminated, by understanding the risks I could work to mitigate them. This is the approach I took with a business intelligence package that was very good for reporting upon large amounts of data but was designed poorly in regards to security. The application was to be the core of our reporting platform offered to customers, and it way outperformed the other vendors we evaluated. By knowing the issues we were able to implement controls to overcome the package's deficiencies.

A blog post from Amorize application security and malware experts details how thousands of websites have been serving malware via a widget created by Network Solutions. This is a good example of a technology that should be vetted, is not mission critical, and there is most likely another vendor offering a similar solution. The website widget is a small, common example that illustrates why you should be wary of the technologies being introduced into your environment and understand the risks they pose.

When approaching a vendor to discuss the security of the product, don't be surprised if they are defensive, attempt to deflect your questions, or even try to stonewall you.  Ensure them that you are just trying to fully understand the pros and cons and how you can implement the solution to best fit the needs of your enterprise. Remind them security is important to your business, and to theirs, and that you are not on a witch hunt, just educating yourself. Unfortunately, not all people are as understanding and realize security due diligence is a good thing, but don't fault them for their short-sightedness and attempting to protect their business unless they are being outwardly dishonest. Ask the questions that matter to your business and are related to the product being reviewed. If the product will never touch healthcare information, then don't put them through HIPPA questions. Ask targeted questions based on the risk the product poses to your organization.

By knowing how a vendor handles security, you will better understand the risk it poses to your organization and what extract work maybe required to ensure it meets your security requirements. Just because it doesn't meet all requirements out of the box doesn't mean it should be dismissed. Review and make an educated decision with all the facts.

Related Reading

More Insights