You have much more leverage in getting a security flaw fixed before you execute the contract.
How many of you audit software before you purchase it, whether it is an enterprise application or something installed in that thing they call the cloud? When evaluating software, business units need to evaluate not only whether the solution meets their business needs, but also whether it meets the security requirements of the organization. Based on the security of the offering, the risk of using the software or service may prove too high.
I know that many vendors like to wave a certification in your face or tell you that “someone” has evaluated their software and everything checked out. However, almost every piece of software I have ever looked at has some type of flaw or risk associated with it. You have much more leverage in getting a security flaw fixed before you execute the contract. Make sure you test the software or service, or at least have a report from a reputable company that has performed a thorough security assessment. If the company will not even consider letting you perform a vulnerability assessment on their software or service, you should seriously consider walking away – the risk is just too high.
Let’s take a look at some of the statistics from Veracode’s recent report, State of Software Security Report – Volume 5:
Here’s an example to put this in perspective: if an organization were set to purchase a new web-based accounting system, moved their health benefits to a cloud provider (web-based), and implement a mobile device management solution (web-based, iOS and Android apps), there is a very good chance that one of the three new web-based applications will have SQL injections, XSS (cross-site scripting), or some other critical vulnerability. On top of that, the chances of having security issues with the mobile applications are more than half.
To avoid running into these security issues, ask yourself the following questions:
Putting a WAF (web application firewall) in front of a web server is not the answer to having a truly secure infrastructure.
One last note: just because it passed a security evaluation at the time of install does not mean that the software or service remains secure throughout its lifecycle. Continuously assessing your organization’s information security posture is critical.
Dan Sherman is the Director of Information Security at Telos Corporation. Connect with Dan on Twitter: @0xjudd
Read more from the author: