Transcript Hard Security Questions to Ask for your Vendors

Hard Security Questions to Ask
your Vendors
Michael Howard
Agenda
•
•
•
•
•
•
Holistic security
Up-front questions
Design questions
Coding questions
Testing questions
Security response questions
Why Ask Questions?
• Everyone has security bugs
• But what are developers doing to reduce the
quantity and severity?
• Customers have asked us for RFP ideas
There is no Silver Security Bullet
• Security must be holistic
– Which means an end-to-end process or set of
process improvements
• A couple of best practices leads to marginal
improvement
– But it may ‘feel’ like the work is being done
Up Front Questions
• Do you have documented security processes?
• What method do you follow?
Up Front Questions
• Education
– Do you educate all engineers?
– How often?
– What sort of classes?
– Who teaches the classes?
Design Questions
• Do you follow any design principles?
• Do you threat model your product?
Coding Questions
• What compilers do you use?
• Do you enforce specific compiler defenses?
• Do you use static analysis tools?
– Which tools
– When are they run?
• Do you have banned API requirements?
• What are your crypto requirements?
Testing Questions?
• Do you perform penetration testing?
– Who does it and when?
• Do you perform fuzz testing?
– What is your fuzz testing policy?
Security Response
• What is your security response process?
• Who does my company email to report a bug?