There are different types of methodologies and standards used in the IT world to create a baseline for secure operating practices. This not only involves IT infrastructure and software, but also the humans involved.
In our daily work, we stumble upon tests where our clients lack secure routines in patch management, coding, testing and pure lack of understanding of the potential risks that are possible. It is our job to help them. To educate them where and when they need it. We, as security professionals, need to care about security ourselves, so they in turn will know that we care about theirs.
With the big shift to using other people machines (AKA, “The Cloud”) to support on-prem infrastructure, platforms, and services, new policies and procedures need to be considered. These “new” environments are often made to sound completely secure. While in and of themselves they might be, what you built on top of the foundation is a whole different story. You can build the strongest foundation, but if your structure sitting on top of it is falling apart… what’s the point?
Is your data secured?
This brings us to external third-party service providers. Most businesses need multiple solutions for the day-to-day workflow. Not all these needs can be met using internal resources or custom-made applications. Reasons can vary, but cost is usually a big factor in this decision. Either it is costing the company too much time with the current solution or designing something in house would be too expensive to build, develop, and maintain. If you can think of a problem, there is usually others that have that same problem. And often, there will be a solution for that problem somewhere on any one of the various internets.
The big selling point is that it is a ready to use service, someone else is maintaining it. All you have to do is use it. This, of course, brings with it some potential issues on its own. You don’t have full control of what is happening. And why should you? You paid someone else to worry about that!
When you let someone else handle your data, you want to make sure it is being handled properly and securely. When approaching a company about their product, there are several things you should be aware of:
- Transparency
- Flexibility
- Encryption
- Security
Transparency
Many social media platforms which are “free” to use, and you must simply accept their terms and conditions. If you are buying a product, you should have certain rights when it comes to what you are buying as well as a legitimate excuse to complain about it if something is not as it is advertised.
One of the first questions to ask the provider should be “What is your security policy? What are your security procedures? Do you have penetration testing done regularly, or at all? And can we see those reports?”. Yes, that is more than one. It’s not always so simple.
Our thoughts on this are… if they are not prepared for these answers, they are not putting security as a priority. If they are not willing to share their policy and procedures, they might not be putting security as a priority. If they don’t want to share any previous penetration testing results, they might be trying to hide something.
Flexibility
Even though you are buying an out-of-the-box product, there might be a need to customize it to fit your company’s specific needs. The actual needs and demands aren’t the crucial part in this. It is more about if they are receptive to your needs. Do they care about your questions? Do they seem willing to help you with the solution? Can compromises be made?
Some services just are not going to be able to be flexible with their implementations. But this could be an opportunity to see how the company handles its customers.
Encryption
The use of encryption to protect the transmission of data over the internets is now common practice. At the end of 2018 the percentage of traffic using HTTPS is over 72% and climbing. This is a huge increase from the previous years! And while this is a great thing, it does not guarantee in any way that it is implemented properly. Is the SSL/TLS implemented properly? With the latest standards applied? Do you have to “pay to play” to get the best service and encryption? Is your “safe” environment sitting on the same machine as the other customers that don’t want to pay for the top-of-the-line security options? … Makes you feel a bit uncomfortable, right? Did they forget to tell you that? Oops! Guess your fancy encryption doesn’t really matter now…
Security
Finally, we come to the main point of why we are here and why we do what we do. We care about security. Not only for our customers, but our own as well, because in reality, it is all interconnected in some way.
We see a lot of issues in our day-to-day work. The OWASP Top 10 is not some arbitrary list, these issues are very prevalent out there. The reasons we keep seeing these issues are endless and we can list them all day long. But it always seems to come back to one thing. The human element is often found to be the weakest link in the chain. It doesn’t matter what fancy security products and services you buy; they are all useless if they are not configured properly, turned on/plugged in, not patched regularly, or too difficult to manage.
Final words
Just as you would properly vet a potential new employee, thorough background checks, references that are valid, technical understanding of the role you are hiring for the same process and methodology should be applied for when looking at a potential third-party application. Have more than one plausible candidate, do not fall into the trap of costs. Just don’t exclude that option before you have asked these more in-depth questions regarding security.
To help you we have put together a checklist that could and should be used as a questionnaire when vetting 3rd party services that you might consider using. We have added what we think is a few great questions to start with when evaluating the security maturity of a Service Providers application.
To download, click here.
Mattias Döj
Mattias Döj is very easy-going guy and appreciates meeting and including new people. During his time in IT security, he has worked globally and traveled the world to perform a variety of penetration tests.