1 / 10

Hard Security Questions to Ask your Vendors

Hard Security Questions to Ask your Vendors. Michael Howard. Agenda. Holistic security Up-front questions Design questions Coding questions Testing questions Security response questions. Why Ask Questions?. Everyone has security bugs

kasia
Download Presentation

Hard Security Questions to Ask your Vendors

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Hard Security Questions to Ask your Vendors Michael Howard

  2. Agenda • Holistic security • Up-front questions • Design questions • Coding questions • Testing questions • Security response questions

  3. Why Ask Questions? • Everyone has security bugs • But what are developers doing to reduce the quantity and severity? • Customers have asked us for RFP ideas

  4. There is no Silver Security Bullet • Security must be holistic • Which means an end-to-end process or set of process improvements • A couple of best practices leads to marginal improvement • But it may ‘feel’ like the work is being done

  5. Up Front Questions • Do you have documented security processes? • What method do you follow?

  6. Up Front Questions • Education • Do you educate all engineers? • How often? • What sort of classes? • Who teaches the classes?

  7. Design Questions • Do you follow any design principles? • Do you threat model your product?

  8. Coding Questions • What compilers do you use? • Do you enforce specific compiler defenses? • Do you use static analysis tools? • Which tools • When are they run? • Do you have banned API requirements? • What are your crypto requirements?

  9. Testing Questions? • Do you perform penetration testing? • Who does it and when? • Do you perform fuzz testing? • What is your fuzz testing policy?

  10. Security Response • What is your security response process? • Who does my company email to report a bug?

More Related