Many social media platforms which are “free” to use, and you must simply accept their terms and conditions. If you are buying a product, you should have certain rights when it comes to what you are buying as well as a legitimate excuse to complain about it if something is not as it is advertised.
One of the first questions to ask the provider should be “What is your security policy? What are your security procedures? Do you have penetration testing done regularly, or at all? And can we see those reports?”. Yes, that is more than one. It’s not always so simple.
Our thoughts on this are… if they are not prepared for these answers, they are not putting security as a priority. If they are not willing to share their policy and procedures, they might not be putting security as a priority. If they don’t want to share any previous penetration testing results, they might be trying to hide something.
Even though you are buying an out-of-the-box product, there might be a need to customize it to fit your company’s specific needs. The actual needs and demands aren’t the crucial part in this. It is more about if they are receptive to your needs. Do they care about your questions? Do they seem willing to help you with the solution? Can compromises be made?
Some services just are not going to be able to be flexible with their implementations. But this could be an opportunity to see how the company handles its customers.
The use of encryption to protect the transmission of data over the internets is now common practice. At the end of 2018 the percentage of traffic using HTTPS is over 72% and climbing. This is a huge increase from the previous years! And while this is a great thing, it does not guarantee in any way that it is implemented properly. Is the SSL/TLS implemented properly? With the latest standards applied? Do you have to “pay to play” to get the best service and encryption? Is your “safe” environment sitting on the same machine as the other customers that don’t want to pay for the top-of-the-line security options? … Makes you feel a bit uncomfortable, right? Did they forget to tell you that? Oops! Guess your fancy encryption doesn’t really matter now…
Finally, we come to the main point of why we are here and why we do what we do. We care about security. Not only for our customers, but our own as well, because in reality, it is all interconnected in some way.
We see a lot of issues in our day-to-day work. The OWASP Top 10 is not some arbitrary list, these issues are very prevalent out there. The reasons we keep seeing these issues are endless and we can list them all day long. But it always seems to come back to one thing. The human element is often found to be the weakest link in the chain. It doesn’t matter what fancy security products and services you buy; they are all useless if they are not configured properly, turned on/plugged in, not patched regularly, or too difficult to manage.