Musings on Information Security :: Evaluating software vendor for security

This Month

Month Archive

November 2006
October 2006
September 2006
August 2006
July 2006

Main Page

Photos

Simplified Security: Security 101

Quotable security quotes

BS7799

Guest Column

Interview

Secure Personal Computing

Security Awareness Training

Good Security Customer

Security Initiative

security

RSS Newsfeeds

Main Page RSS

This work is licensed under a Creative Commons Attribution 2.5 License.

Main Page

Previous:	Trap of security measurement
Next:	Steve Irwin and Security

Evaluating software vendor for security

by RaviC on Fri 01 Sep 2006 10:25 PM PDT | Permanent Link | Cosmos

Software vendors are most likely to describe their software as very secure and meets all the compliance requirements. Is this a sufficient promise for you to consider the software secure enough to base your buying decision? How do you evaluate a software for security?

Software vendors are most likely to say things that make them look secure. If that is the case, how do you peel the layers of onion to get to the core? Here are some questions that can help you get there:

1. Does the vendor follow secure software development life cycle? What practices and tools do they use to accomplish this?

2. Does the vendor have well defined vulnerability management process? What is the typical cycle time to patch vulnerabilities? How open are they to announce the vulnerabilities?

3. Do they communicate newly discovered vulnerabilities to the customers? Is there a vendor web site where customers can get such information? What is their track record in the past?

4. Are there third-party, open-source components in the software? Do they keep tab on vulnerabilities of these components?

5. Does the vendor train their developers in secure coding methodology? (This question will reveal a lot about the company's attitude about security)

6. Does the vendor conform to ISO 27001 or any other well recognized information security standard? What are the compliance requirements do they meet?

7. Does the vendor outsource/off-shore software development? If that is the case repeat questions 1 to 6 for the outsource/off-shore shop. (Remember, security is as strong as the weakest link!)

Software from various vendors can look alike don't be totally fooled just by the looks. Take an inside-out approach. How well the software framework is built determines the security of the software you buy.

If you are not satisfied with the vendor's security framework, say thank-you and move on to the next vendor. If you don't make vendors pay for bad security practice it is bad for your money's worth and moreover you are not providing an incentive for the vendors to improve.

Posted to:

Main Page