Because of my job, I get to talk to a lot of various vendors trying to sell the organization I work for various products. I also get to talk to folks at other organizations about how they do security and secure the data, products and information they are providing their clients. Lastly, I get to advise my management on whether a vendor’s security product is worth us bringing in and using or if there are other alternatives around. Talking to vendors and outside folks is such a small part of my job, yet it’s the most interesting and scariest part of my job sometimes. I’ve concluded that security posture of new software is actually getting worse not better & security vendors are at least 50% to blame.
Insecure Software
We are no silicon valley, however in Kitchener-Waterloo, Ontario, we’re not the frozen tundra of innovation either. Working in the K-W environment, it’s a hot bed of innovation, K-W has great infrastructure to launch start ups, incubators, collaborators and mentors, there’s also a wealth of talent 3 post secondary institutions creating and shaping minds, to feed the IT sector for many years to come. We’re also home to many large mature IT innovators, Intel, OpenText, Oracle, BlackBerry, Sandvine, Google, to name a few. The whole eco-system has been carefully and successfully crafted to spur innovation, startup companies, growth and maturity in world markets many miles away.
To my bewilderment in 2015/2016, post secondary schools are way behind in teaching tomorrow’s engineers, designers, programmers, PMs, managers, architects and VPs about software security. There’s such a demand for the raw talent, that two universities & one college can barely keep up educating all of the above in the basics of what they need to know to be successful, that any thought around software security is an after thought at best. The problem starts with the education institutions & the obvious lack of value they place on security in software. Admittedly, they want their systems to be secure, and ironically that isn’t a motivator to drive security thinking & education into their basic course offering. By the time these students have already graduated they’ve already been primed not to consider security in what they do.
Graduates go on to join start ups & mature organizations, & unless that organization has a strong policy around creating secure software from the get go the newly minted, engineers, designers, architects, & PM’s aren’t going to consider it because they weren’t taught to at their post secondary institution. Ironically furthermore there’s a good chance that the organization the newly minted grad joins isn’t going to have a good security policy/program in place, because:
- They’re a start up
- It’s somebody else’s problem
- It’s not a priority because they’ve graduated from an institution that never taught them it had to be a priority.
The Security Vendor
To help fill the void between:
- Schools not prioritizing security in the classroom
- Development teams that have little to know security knowledge
- A company that doesn’t have time for security
Several smart security savvy folks have started organizations that offer services as a security vendor, these organizations have done quite well for themselves, and they offer a whole host of security solutions like: consulting, testing, analysis, security planning, road mapping, binary analysis, third party testing, education.
Then there are other security vendors which offer security solutions to difficult problem, db/data encryption, patching etc.
At the core of their offerings whether it be a security service, or a security solution, all are good & have a time/place.
What’s the Vendor Security Problem?
The problem often lies in how organizations interact with the these security vendors, because organizations are full of folks who haven’t been taught security is a priority or how to consider security within their shop. There’s a huge vacuum affect & space that a security vendor then comes in to occupy within the organization. I often see a security vendor trying to do all things security within an organization, which is a mistake.
I also see organizations writing code, integrating solutions and then engaging a security vendor for penetration testing, and security analysis before they ship or at incremental release milestones, this is also a mistake.
I see vendors selling one product/solution to an organization and letting said organization think it’s the silver bullet, a massive advancement in an organization’s security position, also a mistake.
The security vendor has one ultimate goal to give you the service they can for the most expensive price they can. It’s not the service that makes the solution insecure it’s the relationship.
An organization that engages a security vendor to, do ad-hoc pen testing, scanning, or binary analysis on their products is thinking the right way, however that test only considers a point in time. Consider Organization A which completes its testing with security vendor V, the day before the heart bleed vulnerability was discovered, Org A would hopefully order another round after such a significant vulnerability announcement, if they were consuming OpenSSL, then they’d hopefully see two vastly different results.
However the nature and the reality of software is that, frameworks, third-party components, are constantly being used to develop software quicker, and more cost effective manner. There are vulnerabilities not well published, against lesser known frameworks, and components which are released daily. Unless you’re having a penetration test done prior to every release by the vendor, you’re unlikely to find them, then even not if the vendor’s scanners aren’t up to date, then Org A should consider doing a Pen testing after fixing the pen testing findings. It becomes a vicious & costly cycle.
Sometimes vendors become too integrated into the development team, providing that vital security knowledge in security, sometimes vendor relationships break down leaving a dangerous vacuum of knowledge.
When vendors who understand their technical solutions very well, sell those solutions to various organizations, organizations bring the vendor in to help implement and organize the solution, in a consulting role. There’s nothing wrong with this, however sometimes the organization gets a different idea of the total solution then the vendor, this can leave the organization feeling a lot more protected then it really is. Consider an organization that buys a vendor solution to implement data at rest security.
The data could very well be protected within flat files, database, data stores, all safe & monitor, in an encrypted format. However the organization needs that data to function and do its job. The vendor sold a data security solution and the data is safe while it’s at rest and being stored, however as soon as applications require access to the data, the data is un-encrypted, & vulnerable. The vendor says the data is secure at rest , the organization hears the data is secure, an application gets breached and data is liberated from the organization un-encrypted and clear.
Security Secure Solution
I am not advocating against security vendors their services are invaluable, needed and technical solutions are certainly a cost savings. I am advocating that the relationship with security vendors needs to change. It’s almost 2016 the cost of a data breach record this year was 216$ a record. It’s time that any organization that buys, implements, a solution, or writes software start to hire security staff, who are experts in IT security. The IT security problem cannot be solved with vendor and vendor solutions alone security needs to become part of the corporate DNA from the CEO -> to the person collecting the mail and solving the snow.
The relationship with security vendors needs to change from I can do that for you & meet all your security needs To: Let us help you where you’re struggling. You (organizations) need smart IT security folks to grow a culture of IT security within your shop. You need to build security into more then just your perimeter (firewalls, etc.). Into what you do, education programs, training, programming. You need your IT security staff to manage the relationship with security vendors, so that they can augment & supplement what you do, not be your whole security program.
Post secondary schools, you need to start focusing on teaching security as a priority and part of the basic skill set your graduates are graduating with.
Organizations who have IT security staff, you hired them, so why not listen to them? Listen, respect them and develop them further so they can continue to drive security into everything your organization does.
It’s 2016 until we start doing these things the security position of our software and organizations is only get to get worse not, better.
The post Vendor: Insecure, security appeared first on Security Synergy.
Submit an article or tip
