Vendor Selection Feed

05/13/2011

Small Business Innovators Must Design Web Applications with Security In Mind

Apps-button We had a unique call come in yesterday, one I wish we had more of, but we don't. 

A small business owner with a brokerage of sorts wanted to develop a website that would allow the producers and the buyers to post information, in some cases highly personal information, review non-confidential subsets of the data about the other and keep the whole thing secured from the outside.

She asked if we could help and provide "small business pricing quotes."

In fact, I don't think many security firms get those calls.

Most of our calls are after the fact either after the app or system has been developed or just after it has been breached. 

She called us asking questions because she didn't have any answers.  I think that approach serves us well in many endeavors.

We can help her.  We offered to help her develop a list of functions and safeguards she needed in her application, help her manage the procurement process and then to test the application for security before she accepted it from her developer.

In 10 years of business that was a first.

Most web applications, particularly web applications are built with out much thought to information security, customer privacy or regulations covering the information.

Truthfully no application is 100% secure.  But an application that has been designed and developed with careful consideration for its information security, user privacy and regulatory requirements stands a great defensive chance once it has been launched.  Testing that application before launch further raises the defensive posture.  Regular testing and a proper operational routine after it has been released to production even further raises that posture.

Again, our experience has been that most businesses, particularly small business, design and develop applications, release them to production and then through some event realize that security is a concern.  There is a breach or a break-in.  The site is knocked off line by a denial of service attack and revenue streams are interrupted.  The invoice from the payment card processor is higher than they want to pay and they find it is because of non-compliance with PCI.  And so on.

This occurs because two things don’t happen up front:

  1. Security just isn’t talked about as part of the deisgn process.  It must be!
  2. An assumption is made that developer and hosting providers on the project will handle security.  In most cases they won’t unless you demand it of them and back the demand up with contracts and tests.

 

Here is a list of non-technical questions you need to consider as part of your design conversation.  Getting technical on some of these issues may require a member of your IT staff or an outside consultant.  But any small business owner should be able to answer these questions if they are trying to build a business using technology:

  1. What is the sensitivity of the data on our planned site?  Is it regulated data? 
  2. Who regulates the information or audience that uses our site? What are your obligations to protect it?  What are your obligations to maintain user privacy? Does your privacy policy match that obligation? Will the site be developed with the guidance of a privacy policy?
  3. How long can the site be offline before it negatively impacts our business?  When will customers usually visit the site to transact business?  If we are off line an hour of peak traffic time how much revenue will we lose? Profit?
  4. What do our customer’s expect from us in regard to protecting their privacy? 
  5. Will you have user forums or accounts on the site?  How will you verify those signed up are really customers? Or really people?!  Does that matter?  Will you allow any and all comments in your forums? Do you need to edit them or block them?
  6. How does the developer ensure the web application is secure? The database?
  7. How does the hosting provider help secure your application?  How will you know they are doing their job?

You then need to make sure that your development partner builds the site to meet the requirements these questions should raise to the surface.

That site must be deployed in a technical environment that is at minimum protected by:

  • A firewall
  • An uninterruptable power supply (UPS)
  • Regular back ups
  • Anti-virus
  • Proper and verified operating system and application hardening procedures
  • Separation of the development (where you’ll continue to create and innovate as well as test) and production

We then recommend you test the site against your requirements to make sure they were met (best to do that before that last check goes to the developer!).   We also suggest you conduct a vulnerability scan against the site to make sure that it wasn’t developed with technical weaknesses a hacker could use to create havoc for you.

And then finally we recommend that you, as a matter of routine, continue running those tests to make sure the sight maintains the secure posture you paid for in the first place.

Related articles
Enhanced by Zemanta

Posted by Douglas Davidson at 01:03 PM in Information Security Basics, Innovation, Online Business, PCI, Risk Management, Secure Coding, Secure Value, Secure Web Development, Small Business, Vendor Selection | | Comments (0) | TrackBack (0)

Technorati Tags: , , , , , , ,

| | |

04/07/2011

Epsilon Aftermath Will Expand Seriousness of 3rd Party Verification for Suppliers -- Is your firm ready?

Jacadis helps businesses prepare and respond to security questionnaires and audit requests from their usually larger customers.  We also are the audit and assessment team for some firms who choose to use external resources to review their key vendors' security.

Frankly, as breaches Epsilon isn't a big of deal.    No protected information, just names and email addresses were taken.  And more sophisticated attacks have come and gone in the press largely unnoticed. 

Epsilon has received more attention than the more impactful breaches in part because it touched so many people.  Non techies are talking about it.  We believe that buzz is going to find its way into the executive suites and audit teams of big companies and boost the rigor and frequency with which larger firms test, prod, and assess their supply partners.

In fact it isn't just us that thinks that.  The Wall Street Journal reported in Insulating Your Firm from Third Party Breaches that:

Experts suggest that companies that outsource technology services take some of the following steps:

  • Make sure the vendor has a recognized certification for information security, such as ISO 27001 or SAS 70 Type 2, granted by an accredited auditing organization such as the International Standards Organization;
  • Sign agreements that oblige vendors to undergo regular audits by third parties, at least annually. Auditors should test software (especially software that can be accessed via the Internet) and hardware as well as people, to ensure that vendors’ employees themselves don’t fall prey to scams;
  • Make sure vendors assume liability for breaches that affect customers and end users; and
  • Make contingency plans with the vendor so that neither is caught by surprise in the event of a security breach.

Management consultants and corporate governance experts are providing similar advice to their Fortune 2000 and similarly sized customers.  These recommendations have been around for several years, however, the buzz from Epsilon has the potential to fuel the recommendations to reality.

This will impact you if you answer yes to any of the questions below:

  • Your business is part of the supply or services chain for larger regulated firms.  We see most of the third party verification activity from firms that have regulatory obligations to HIPAA; PCI, GLBA or other financial privacy rules, or Sarbanes-Oxley.  We have seen these type of firms apply the highest security and privacy standards to their vendors even if their vendors don’t process confidential or protected information.  Do you provide services to these types of firms?
  • Your business provides a service that includes considerably volatile information.  If, for instance, you process non-protected personal information but it is somehow seen as critical to your client’s business or it’s relationship with its customers this might apply.  Or, if, for another instance, you process company confidential information such as trade secret related information.  Do you provide services to these types of firms?
  • Firms in the supply chain stack.  You may not be doing business with a regulated firm, but you may be providing services to firms that provide goods or services to firms that provide services to regulated businesses.  You know what they say about it rolling downhill.   Are you at the bottom of a supply chain?

Take action

If you answered yes to any of those questions we suggest the following:

1.  Look at your customer agreements with firms in the categories above. 

  • Do any of those agreements place obligations on your company to protect your client’s information in a certain way? 
  • Do they have the right to audit? 
  • Have you told your IT team about these obligations? 
  • Are you prepared to meet these obligations?

2.  Sit down with your technical leadership and discuss:

  • Are we secure? Vulnerable? Do we follow a best practices approach to information security? Which one?
  • Do we routinely check through tests, assessments, and/or audits our answers to the questions above?
  • If we got an auditing letter from an existing customer would we be ready for the audit in a week? a month? 3 months? 
  • When the auditor arrives do we have documentation that defines our security programs values (policies), details the routines we follow to meet those values (processes), shows that those routines are being followed (logs, action reports, scorecards, etc.) and that our staff is aware of their obligations (awareness training)?
  • If we committed during the sales process with a new customer to do certain things to secure their data did IT and the others in the company responsible for delivering on that obligation have a hand in the answer? Are we overcommitting?
  • Are we managing security well enough that we can create a competitive advantage over other firms in our class?  Can we use that advantage to build new business?

If your business provides business to regulated businesses upstream in your market we recommend you keep asking these questions until you feel comfortable with the answers.

 

Related articles
Enhanced by Zemanta

Posted by Douglas Davidson at 10:45 AM in Committee Action, Competitive Advantage, Compliance, HIPAA, HITECH, Information Security, Information Security Basics, Leadership, Online Business, PCI, Policy, Secure Value, Security in the Business News, Small Business, Trust, Vendor Selection | | Comments (0) | TrackBack (0)

Technorati Tags:

| | |

04/04/2011

Aftermath of Epsilon Hack ... More FUD on Horizon, Third Party Verification Gets Boost, Confirm You Have Strong Passwords ...

Have you read or heard the news about the enormous hack at Epsilon which touts itself as the World's Largest Permission Based Email Marketing Services Company.  The hack affects a long list of major brands and probably includes some companies that you use. 

If you paid attention to the reports then you've heard that no credit card accounts or social security numbers were taken just millions and millions of email addresses and in some cases full names.

No big deal?  Maybe, maybe not.

Some security experts think it means more spearfishing attacks on businesses and individualsOthers don't think it is all that big of a deal

I predict three outcomes and suggest remedies:

First, the amount of FUD (fear, uncertainty and doubt) included in sales and marketing messages from your technology vendors will increase.  With each and every spectacular hack in the market FUD changes and morph to include the new event as a reason to "BUY NOW!" even as we see daily if the product in question doesn't safeguard against that kind of hack.  Be an informed buyer, particularly of items as critical as security technologies.

Second, this large scale hack will catch the attention not just of the security and audit teams at these firms but in the corporate suites as well resulting in greater attention to third party verification and vendor assurance programs. The list of companies affected include a host of major brands.  I've worked with small businesses that provide services to some of these firms.  We've helped these small businesses prepare their environments to meet vendor qualification requirements and we've helped these firms prepare for audits by the larger firms' audit departments as part of contracturally required vendor audits.  If your firm provides services that depend on confidential data from these firms or others with a similar profile be prepared to attend to a heightened audit process.

Third, the information stolen could be used to send targeted attacks to the customers of Epsilon's clients and that might put you at risk in two ways:

  • Targeted phishing attacks that look like legitimate messages from any of these companies are likely to be in our future. Know how to protect yourself from phishing attacks which Jacadis partner SOPHOS neatly outlines.
  • Accounts that depend on your email address might be at risk.  Better safe than sorry.  I would suggest you change your passwords on those accounts and make sure they are strong passwords.

What impacts to business and personal security do you think will be the aftermath of the Epsilon hack?  What fears do you have about how it impacts your business or yourself?

Related articles
Enhanced by Zemanta

Posted by Douglas Davidson at 08:38 PM in Living Securely, Online Business, Secure Value, Security Awareness, Security in the Business News, Small Business, Threats, Vendor Selection | | Comments (3) | TrackBack (0)

Technorati Tags:

| | |

06/09/2010

Are you finding larger customers are increasingly asking questions about your information security and privacy practices?

Question markImage via Wikipedia

Are you finding larger customers are increasingly asking questions about your information security and privacy practices?

Yesterday, we met with a client that provides services to a horizontal business portfolio including firms serving a diverse set of vertical markets.  Many of these markets have regulated information privacy and security practices at the local, state and/ or federal level as well as through contractual obligations with suppliers and customers. 

As a service provider our client is being asked on a customer to customer basis to show compliance with this myriad of regulations.  With each customer request comes a different state law, a different federal regulation, and a new pile of letters in the alphabet soup.

As my client exclaimed, "The volume of these questions just keeps growing. And most of the time they are asking questions that don't even pertain to what we do for their company."

The volume of requests is climbing because larger, regulated businesses through simple prioritization, have realized that now that they have their own houses in order (sorta, somewhat) their greatest risks lie in the information handling of their information by vendors, partners and other third parties.

They are asking questions that don’t pertain to my client because the audit and security teams know how to ask questions to secure the information in their business.  Given the volume of vendors, partners and other third parties they must address they don’t have time to move far off the path they are used to or to get creative.

So you get some strange requests that require a valuable company staff member to answer questions to prove something that really shouldn’t need proving.  Some other examples from my client base:

  • A design firm dealing in product design is asked to show how they protect protected health information under HIPAA from their insurance company client even though they don’t maintain health records.  It is what their customer expects to build trust.
  • A collections network is asked to show how they maintain the privacy of collections records under Graham Leech Bliley even though what they do has been vetted by an attorney not to be covered by GLBA.  It is what their customer expects to build trust.
  • A Software as a Service application publisher is required to prove they manage their network to conform to the Payment Card Industry’s Data Security Standard even though – you’ve guessed it by now – they don’t take credit card data.  It is what their customer expects to build trust.

Customers expect their vendors to treat their information as if it your own.  Call it stewardship.  Prospective customers are going to probe for your ability to be a good steward as they explore your operations through the RFP process or through Q&A during the sales process.  Customers are then going to probe for continuity of that good steward's stance as auditors ask for information that shows you are doing things their way.

  • Failing the questions during the prospects presales process will cost you a sale or make that sales win that much harder to earn.
  • Failing during the audit stage will cost you a customer and depending on how you fail (as in the case of a breach driven post incident audit) may cost more.

How do you represent yourself as a good steward when multiple customers are asking for different things?

Given the increasing volume of requests covering multiple compliance constructs my company, Jacadis, recommends creating an internal information security, privacy and business continuity organization (committee, team or whatever you might call it) using the ISO 27000: Information Security Management Model. The model, an internationally recognized standard in the information security field, provides a framework from which to evaluate and/or organize an Information Security Program.
  
The team then focuses on the most likely risks facing the company balancing your own information security, privacy and business continuity concerns as well as those of customers and prospective customers.

The committee, properly assembled, organized and managed, can then anticipate customer needs, respond to them more cost effectively and more efficiently and in most cases we’ve seen create a competitive advantage for the company.  It is likely your competitors are dealing with the same issues.  The ISO based committee structure gives you a tool to do it better, cheaper, faster.
 
How do you handle customer requests to “prove” your information security, privacy and business continuity plans? Are they just asking? Or would wrong answers .. not having a program … tarnish the relationship?
Reblog this post [with Zemanta]

Posted by Douglas Davidson at 03:18 PM in Competitive Advantage, Compliance, HIPAA, Information Security, Information Security Basics, Leadership, PCI, Policy, Risk Management, Secure Value, Small Business, Vendor Selection | | Comments (0) | TrackBack (0)

| | |

07/10/2009

Secure value by considering information security when selecting a web developer

Many web based businesses are ideas in the heads of non-technical entreprenuers that are translated into action by web application developers.  Selecting the right web developer is key to a successful web based business. Apps-button

Make sure you secure your value when you select a service provider to develop your great idea, million dollar mousetrap or next big thing by asking these questions:

1.    Does the developer have an active portfolio of sites that handle content, information and processes similar to your planned site? 

2.    Will they let you select references from their portfolio (rather than tying you to those they hand pick)?  Ask the references how site security was considered during the course of the project.

3.    Does the service provider consider secure coding as important to your project’s success as the ascetics and functionality of the site?

4.    Does the provider use templates as a base for their work or do they develop everything “from scratch” based on a custom model?

·         If they use templates ….

o   Are the templates developed in house, acquired from a trusted source, or acquired from the public domain?

o   Regardless of the source, how do they validate that no known vulnerabilities are in the template code?

·         If they write all of the code themselves …

o   What is their development process?

o   Do they develop all of the code in house with company employees?

5.    Do they test the code before its release for performance and security vulnerabilities?

6.    How do they validate they are delivering a secured site? 

7.    Will they include an independent 3rd party vulnerability assessment in their service that must be passed before you'll accept delivery?

8.    Do they consider information security in their contract? Do they offer a guarantee that code is provided with no known vulnerabilities? 

9.    Does their service (and price) include maintenance on the code they provide? Does the maintenance include both in house developed code and template based code?  Are security considerations included in their maintenance processes?

10. How do they monitor new vulnerabilities in the code they produce? Will they guarantee or warranty their code?

11. Does the service provider vault the code so you have a secure code set to restore to in the case of a breach?

 

Posted by Douglas Davidson at 03:39 PM in Information Security, Secure Value, Secure Web Development, Vendor Selection | | Comments (0) | TrackBack (0)

| | |

07/07/2009

No Secured Value -- The case of the insecure web "specialist"

Include information security considerations when contracting with a web developer to code your great idea.

We took a call recently from a woman whose brand new web-based business closed its doors for good before less than a day after her site's launch.  The site had been corrupted by a SQL injection attack.  She was an entrepreneur with a great idea and in selecting a developer had made a fundamental error.  It is an error many web based entrepreneurs make.

She had contracted with a “web specialist” to develop an ecommerce site servicing consumers who were busy mom’s just like her.  She and her husband had done everything right except consider the “web specialist” and his ability to code securely.  That mistake meant that after the breach they were out of money and unable to continue their business.

They had done many things right, following conventional wisdom in creating a home-based business.  They had a business plan.  They had incorporated as an LLC.  They had purchased and registered a catchy domain name, thoughtfully considered the function of the web site and how customer’s might use it to make purchases.  They’d taken their plans and their savings, all of it, and hired a web "specialist" to build the application.  To them their idea was the million dollar mousetrap.

The specialist (not a developer but a webmaster with administrative skills and some light web coding experience) had used a library of open source web page templates to “customize” the site.  The templates had not been securely coded.  He didn’t possess the skills to secure it himself or the awareness that security needed to be considered.  And, our husband and wife entrepreneurial team, had not included information security issues in their plans or in their agreement with this “specialist”.

We were called to scan the site to provide a list of what needed to be corrected.  All of their investment (again read this as life savings) had been put into the site.  They had no money to pay for security services or redevelopment. We advised them to hold the “specialist” accountable.  The last we heard they had decided that the cost of an attorney and the costs of redevelopment were too great for their finances.  Before writing this I searched for the site under both the topic and the old URL to no avail.  It appears as if they were forced to stick with their decision to close.

Have you considered the security of your web based business as part of your planning?

Posted by Douglas Davidson at 09:12 PM in Secure Web Development, Small Business, Vendor Selection | | Comments (0) | TrackBack (0)

| | |

My Photo

About

TypePad Profile

Get updates on my activity. Follow me on my Profile.

Categories

Twitter Updates

    follow me on Twitter
    Blog powered by TypePad
    Creative Commons Attribution-ShareAlike 3.0 Unported