Tuesday, December 4, 2018

We've got the best people, the best product

This post is going to be more serious.  cough cough...

So the flower site 1-800-FLOWERS just realized that they got hacked years ago (4 years ago) and everyone that came by and entered their credit card numbers had all their information exposed.

But.... it is only Tuesday!  This is supposed to be Friday stuff!


For all we know, 800-Flowers may have been doing a great job and simply been a victim of a numerous list of other issues that led up to this.  What we do know is that they relaunched an entire new website claiming to have added security.  That kind of implies that something was fundamentally bad with the old one, or it could simply mean they want a fresh start from a PR perspective.  Time will tell especially if the actual breach details make it out into the open.

Back when Ashley Madison let themselves be hacked end to end because of a complete absence of anything related to security (see my humorous blog entries on this), 1-800-Flowers actually showed some really witty marketing by offering a special flower arrangement for anyone who got called out for having an account on a cheating website.

I have yet to meet someone who will admit ordering the prestigious "Ashley Madison" flower arrangement, so I still do not know the price.

I had a realization today.  Technology companies have long adopted the DJT (Donald J Trump) approach to cyber security.

"They have the best people, really the best, and the best words."

When a potential vendor I am evaluating gives me this type of response...  I get alert.  nothing focuses my attention more than hearing "we have great developers", or "our dev team is the best",  Both statements are actually dead wrong.

Here is why.  

A dev team is put together to deliver technology on a predetermined set of parameters such as a delivery date and a budget.  Sure "features" and "functions" are in there, but security rarely is present in these items.

When the CEO says his dev team is the best, this means they deliver on-time and within budget.  From a security point of view, this could spell trouble.

So why exactly would a CEO think his dev team is awesome?

I'm looking at it from the point of view of security.  The senior executive is looking at it generally from delivering a product that works, looks good, didn't cost a kidney, a limb or your first born, and was done within a reasonable time.

So the word "Awesome" means two completely separate things.

Here is the generally accepted truth about a software development team.

They rarely get the luxury to include a strict security testing methodology within their SDLC (if they even have an actual software development lifecycle process in place).

So I do not disagree with a CEO that says their dev team is the best.  I just place that information into the correct bin.  Bin #46:  Dev team is nimble and generally delivers what is asked of them within a reasonable amount of time/budget.

However, as the Chief of Security Officer, my questions and my priority Bin is #1 to #10 and all touch security, non of it touches short delivery times and limited budgets.

The fact is that dev teams are not trained to be cyber security testing experts, so obviously security should be integrated somewhere in the process with someone who does master this area of expertise or with a trusted third party who provides guidance, or testing with the maturity required to do it for real.

Keep in mind, that outsourcing security in no way affords you the ability to think everything is fine, because in the "services" area, we find plenty of folks who know how to make a buck yet offer very mediocre services (read here... sub par).

Security is a philosophy that needs to be infused across all players.  This takes the right talent, patience and a reasonable investment.

Outside of this, thinking that the lowest bidder, or the really inexpensive web development company we met last week is doing great security is simply beyond crazy.

Most enterprises simply aren't there.

So here is something to think about.

  • Car manufacturers have great engineers
  • NASA has the "best people"
  • Pharmaceutical companies have bio geniuses 
  • I could go on....

They all have something in common.   Good processes that includes formal testing worthy of the asset they are producing.

So we can learn something from these types of enterprises by realizing that if the technology we are deploying is not critical or does not (cannot) expose sensitive data, then sure, the lowest bidder or whatever service is fine.  However, when the service or data is sensitive, an appropriate amount of testing AND oversight is required to ensure that everyone delivers the quality expected.

One of the biggest dangers in the technology industry is the belief that a big company, or an old company, or a company that says the word security eight times on their website.... delivers quality.

Things in the technology world change at an extremely fast pace.   Security professionals that do "real" testing is a rare commodity.  

This means you have to ask the right questions.

First off, prioritizing your assets or your systems at any level is an important part of the puzzle.  You need to know how critical something is so you can handle it accordingly.

Knowing that you are about to outsource to a SAAS or Cloud provider a piece of your business has to mean knowing what value that piece has for you.

So what are the right questions to ask:

With any service that someone delivers, you want to know that they are delivering something reasonable.

My favourite example, is web application development.  In the last months, I have had to deal with several such providers, who all claim to do a great job, yet cannot answer even basic questions about how they achieve this.

Some examples (and the answers I got from a prestigious company): 1) How is security integrated into your software lifecycle?  We test monthly
2) Who does the testing? Our developers
3) What are their qualifications? Senior developers have worked for us for over 10 years
4) What triggers a retest?  We always test monthly
5) What types of tests are performed (provide a list)? Web tests
6) Are these tests automated or manual? Automated every month
7) Who is vetting the test results? Our senior developer 
8) What secure development training has your dev team received?  They are senior developers and have been trained as such
9) What where the last three significant security issues identified during testing? We have not had any significant security issues

That last one is a real kicker.....  they have to provide you with something, and statistically it should be something real, and juicy.  Yet, nothing.  So they have never event had an XSS on a forgotten form field.  Impressive indeed!

Bottom line, these questions should be like the questions you get asked when clearing customs.  The question itself is not that important, it is the response that we are looking at and gauging the maturity of the answers.  The answers above.... simply suck and show no maturity at even a basic level.

You simply cannot just hand off your critical data to any third party that claims they develop secure applications and assume this is all good.

Once you have identified someone that gives you reasonable answers, you should still perform your own testing (or mandate someone to do quality testing for you) assuming the system in question is valuable to your business.

This is the sanity check to ensure that the wonderful rainbows promised to you have been delivered.

The old adage, TRUST BUT VERIFY always applies. 

One thing you can trust me on, is that statistically, most companies claim to provide the absolute best security, and just like Donald J. Trumps hands, come in a little too short. 


Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies


No comments:

Post a Comment

Are we even trying over at BRP

This will be a short blog entry.  Essentially, a general observation. If your enterprise was breached and screenshots of user account passwo...