Monday, March 31, 2008
If software vendors really cared about security...
Figured I would post ways for large enterprises to cut through the hype that software vendors use to market security especially when they aren't truly secure...
Here are some questions you should consider asking software vendors to respond to:
Make security a fundamental component of software design: Instead of focusing on security features, ask your vendor what practices are in place to ensure that the product is designed securely.
Support older versions of software: yes, it is more costly to support multiple versions of software, but you know that large enterprises take a long time to upgrade. Should you ignore this fact and let them stay exposed? For example, Microsoft has told lots of corporations that it won't be supporting Visual Basic 6.0, Windows NT and other products. How many IT shops have struggled to upgrade their systems built on this technology in an ROI-driven culture?
Publish metrics on security of new and existing products: Once again, if you acknowledge that large enterprises are slow to upgrade, do you think we may get faster if we understood that your product was made more secure or are you hoping that features alone are enough?
Publish a patch playbook: Shouldn't customers have clear guidance and explicit instructions for risk mitigation throughout the patch management process and especially in times of crisis? Do you think a simple note where we have to thoroughly find your bugs is a sane answer?
Comply with industry best practices before releasing software products: If your application is web-based, should you really release it especially if it doesn't align with the OWASP top ten? There are a variety of tools on the marketplace that can provide automated static analysis including OunceLabs, Coverity and others. Stop being either ignorant or arrogant and purchase software to do code reviews
Don't just participate, but also sponsor local security user groups: Software vendors shouldn't think of local OWASP chapter meetings as a way to make folks to buy your software. You should consider not only ensuring that your own employees attend, but that as software vendors, you should also consider encouraging other customers to attend. Lurking is the antithesis to real security...
| | View blog reactionsHere are some questions you should consider asking software vendors to respond to: