Sure, you will probably send out a security questionnaire to your vendors, but out of the hundreds of security questions in a standard CAIQ or SIG assessment, do you really know which ones matter the most? To help you get a pulse check on your current vendors and stay safe from malicious hackers, we talked to a group of, well, professional hackers.
No one knows security vulnerabilities better than hackers themselves, and the white hat hackers, also known as Pentesters, at Software Secured helped us put together a list of five basic questions to ask your vendors, along with guidance on what good (or bad) answers look like. These security questions will help you quickly identify whether a vendor has big security gaps or has strong policies in order.
Penetration testing is a security exercise that tests the resilience of your application or network against attacks. It involves a team of white hat hackers who are hired to break into your application to find potential security vulnerabilities to exploit.
Penetration testers do exactly what the bad actors would do when trying to access your application, except, penetration testers are ethical hackers. That means they’re ready to alert and inform you of vulnerabilities that live in your application. In some cases, penetration testing providers may also offer you security remediation advice on top of initial vulnerability discovery.
Penetration Testing as a Service (PTaaS) is an extended, more comprehensive form of penetration testing that provides year-round coverage. While a one-time pentest is great for providing a baseline of your security posture or compliance, it isn’t always enough. PTaaS will test your application multiple times per year, plus provide security consulting and fix verification testing along the way.
Pentesters are expert security engineers who understand risks such as those detailed in the OWASP Top 10. For example, they may be proficient at identifying certain classes of vulnerabilities or may excel at certain types of penetration tests (such as network or mobile pentests). Pentesters conduct pentests through a combination of manual and automated testing. They can creatively apply their unique areas of expertise to locate known vulnerabilities and often identify and exploit new 0-day issues.
Software Secured is a leading provider of Penetration Testing as a Service, and paired with Hypercomply’s cutting edge vendor assessment automation platform, you have two peas in a secure pod. At Software Secured, Pentesters have a high emphasis on manual testing, to mimic the exact same attack strategies as real life threat actors, using similar logical processes, not always explored via automated testing. HyperComply handles the heavy lifting of building trust between teams, by automating security questionnaires and accelerating due diligence.
HyperComply is teaming up with Software Secured to provide tech companies with the ultimate solutions for scaling your product(s) securely. Together, we are helping technology companies fast track security questionnaires with the right knowledge, ensuring their strong security posture is leveraged as a strategic advantage and instilling more confidence in their third party relationships.
We asked professional Pentesters at Software Secured what the most important questions are to include in a vendor security questionnaire. After seeing many vendor applications and networks first hand, the team of Pentesters knows how to identify crucial security vulnerabilities and keep your platform safe.
Here are the top five security questions pentesters say you should ask every vendor you work with, along with their suggestions for what good (and bad) responses might look like.
Best: The vendor tracks ALL assets (internal and external) under their purview as well as asset status. The vendor stays up to date with the security status of these assets, and they have systems in place where they would be alerted immediately if something is not up to the standard.
Good: The vendor has good visibility around key assets and basic alerting and monitoring around security functions of any asset.
Bad: The vendor operates with no asset management controls to prevent or minimize shadow IT or ensure critical assets are properly maintained. This means information technology systems, devices, software, applications, and services can be added to the asset library without explicit IT department approval. Shadow IT introduces serious security risks to your organization through data leaks, potential compliance violations, and more.
Best: The vendor says “No!”, and/or they try to avoid storing data wherever possible. They either do not store sensitive information (this might not be possible for some organizations) but if they do, they follow all of the best policy safeguards that are mentioned below in this article. If they have to store information due to the nature of the organization, another option is opting to use a verified and well trusted third party that can store or process this information for you (e.g. Google, Stripe etc.).
Good: The vendor does store data, but only when necessary for their use case and follows all of the guidelines presented later in the article.
Bad: The vendor says “Yes…we ask for your first born and your mothers maiden name, and store that information ourselves in unencrypted databases.” They may not say this exact phrase, but if they detail their data storage methods and it includes storing large amounts of data without additional security controls, there is a larger security risk.
Regardless of the policy (onboarding/offboarding, data access or standard safeguards) the best outcome is that the vendor is transparent with their security policies, and shares them publicly. You should be able to find these policies readily available on their website. Beyond being public, the policies are always up to date and audited regularly to see if any updates are required.
Best: Background checks and vetting are conducted for employees in addition to security training and policy acknowledgement and acceptance at the time of hire. Access to software systems and company assets are removed promptly at the end of employment. These practices are outlined in the company policies, available online or upon request. Regular audits are performed on access to all critical systems.
Good: Background checks, vetting, security training, policy acknowledgement and acceptance at the time of hire. Access to software systems and company assets is removed promptly at the end of employment. These practices are outlined in the company policies, available online or upon request.
Bad: The vendor does not have an onboarding/offboarding security policy! Either they don’t have any, or they are not willing to talk about them externally. The vendor also does not update and audit their policy regularly, policies are stale and out of date, and references to components/technology that are out of date.
Best: The vendor follows principles of least privilege, and minimal staff access to highly sensitive information. Access is on a need to know or need to have basis, these policies are audited regularly by the organization. The company conducts regular Access Control Reviews to ensure access for special projects or role changes remains aligned to policies.
Good: The vendor does have a policy, there are some access controls and limitations on access.
Bad: The vendor does not have a policy or is not willing to share externally.
Best: The vendor has Multi-Factor Authentication (MFA) enforced globally for all resources, and they have strong system and event monitoring. They also have strong password policies, encrypting harddrives, anti-malware and firewalls. Both the standard safeguard practices and policies are updated and audited regularly.
Good: The vendor has strong password policies, encrypting harddrives, anti malware, firewalls etc.
Bad: The vendor has none of the safeguards that are mentioned above! Standard safeguards are at the employee's discretion with no formal policy to follow.
Alongside the general question of “What is your security engineering/SLA policy?” There are various questions that need to be asked about the contents within this policy.
Best: The vendor does regular and continuous (quarterly or biannual) pentesting of all internal and client facing assets from a reputable and high quality external pentester.
Good: The vendor does annual pentesting of all assets that hold client data, possibly internal pentesting.
Bad: The vendor does not do any formal pentesting.
Best: “Yes, with every new feature we perform threat modeling during the design and security scanning (static or dynamic) before it is put into production”.
Good: The vendor performs security scans with major releases in between pentests.
Bad: The vendor says “We do neither!”
Best: The vendor has a global/public statement for this public disclosure policy, and they proactively reach out to clients when a breach occurs to notify clients about the type and scope of impact, as well as the steps taken to remediate the issue.
Good: Their public disclosure policy may not be public, but readily available when asked. They have a policy to inform their clients of any impact on the client data when or if it happens, and they put out a bulletin with all necessary information.
Bad: “We don’t have a process for notifying customers/partners when we have been hacked.”
Best: The vendor details that all data is secured with strong cryptographic algorithms in transit and at rest at all times.
Good: The vendor details that sensitive client data is secured with strong cryptographic algorithms.
Bad: The vendor’s database(s)/client data is not encrypted and is only protected by access controls.
Best: The vendor requires comprehensive security questionnaires for all third-party tools and services, possibly inquiring about even more security information than what you are asking them for. They think outside the box and have a higher scrutiny for their vetting process. If they have questions on their questionnaire that you haven’t thought of, they are taking security seriously and want to ensure maximum safety for all parties involved.
Good: The vendor says “We only do business with vendors that have gone through and been approved via our vendor questionnaire and approval process.”
Bad: The vendor doesn't have a formal vetting process for their own third-party tools and services.