Top 5 Security Questions to Ask Your Software Vendor
One of the questions that IT personnel regularly face is how to select a vendor from whom you wish to purchase a web application. A vendor's commitment to security should play a big factor in the decision to trust your business's reputation to the quality of their product.
Our experience performing assessments on vendor software have proven that it is unwise to assume vendors are all similar in their approach to addressing security. Secure software applications are not created by accident. It takes a concerted effort and purposeful approach.
When evaluating that commitment, you will need to spend some time reviewing the vendor's practices. To help you through this process, Security PS introduces our top 5 questions for software vendors.
Question 1. How is your application development team educated about current application security risks and best practices?
The difference between secure software applications and other products can be traced back to the development practices used to create and maintain the code. Good security practices start with education, so you need to understand the vendor's process for developer training.
Gone are the days where developers of critical business software can claim "security is not my job." While developers should not have to be full time security professionals, awareness of risk is a critical factor in keeping a developer from introducing software security flaws. Once developers and managers are aware of the prominent risks associated with applications, they can begin to create processes and practices to mitigate these risks--which leads us to the next question.
Question 2. Can you provide an explanation of the application security tasks included in each phase of your application development life cycle?
Security checkpoints throughout the software development life cycle (SDLC) are critical to ensure that risks are addressed before they become inherent problems. This question helps to identify vendors who subscribe to the ineffective "build first, secure later" mode of operation.
Look for even basic security tasks at each step of the development process to indicate the vendors' level of security awareness. Examples of tasks that may be present in a security-aware SDLC include: security requirements analysis, architecture security review, milestone vulnerability scans, QA security tests, beta security assessment, and third-party penetration testing.
Question 3. Is the security of your software assessed by a qualified, independent security firm?
Even if software vendors conduct security testing on their own software, the security of a sensitive application is important enough to warrant review by an independent application security assessment firm. These reviews should also take place after the vendor makes any major updates to the application.
If a vendor doesn't commission independent assessments on their own, customers who require an independent assessments will need to budget for their own review of the product. An important follow-up to this question is question number four.
Question 4. What is your process for responding to security problems identified by customers?
Customers of a software vendor should be confident that the vendor has a plan in place to process and investigate notifications of security problems. The lack of such a process indicates that security issues may not be acknowledged at all by the vendor or addressed in a timely manner. Once and issue has been communicated and severity is established by the vendor, the customer should receive an estimate of when a solution will be forthcoming from the vendor.
Be wary of vendors who consider information sharing a one-way street or fail to adjust software development priorities to accommodate solutions for high risk security flaws.
Question 5. What is your process for notifying customers of security problems and their solutions?
Once a vendor discovers or is notified of a security problem, they have a responsibility to notify customers using their software. Preferably this notification comes in the form of an email or telephone call. Posting security bulletins to their website may be acceptable if personnel in your company can afford to regularly monitor it for updates.
The timeliness of these notifications is also important. While informed customers can be willing to accept risk for short periods of time or implement temporary controls, they cannot mitigate risk if they are not adequately informed. For this reason, it helps to gain an understanding of how long a vender generally takes to acknowledge an identified security flaw and provide notice to customers.
When asking any of these questions, pay attention to the consistency of the vendors' message. Are they just trying to appease you or do they seem to have a legitimate understanding of how important security is to earning your business?
If you are reluctant to subject vendors to your questions, keep in mind that product security actually improves when vendors are questioned about it. The more customers that demonstrate a concern and need for application security, the more likely vendors are to commit resources to a software development security program.
Article content is copyright Security PS 2011 and may not be reproduced without permission.