If you are a software or solutions provider and you fail any of the following conditions, we are not doing business. I’ve seen enough.

  1. Your public website, or worse – the web server used for your application – gets an F on securityheaders.io
  2. Your product has no provision for 2FA, or the only 2FA provision is SMS
  3. Password rules and “security questions” that haven’t changed since the Clinton administration
  4. Your application re-skins a browser and removes the UI elements I train my users to look for to protect themselves, like an HTTPS URL and the padlock icon, and the means to manually evaluate a certificate for authenticity
  5. Your application bakes in old third-party dependencies (like an ancient version of jquery or MySQL) that have active CVEs
  6. You assert that your product is [insert compliance here] but in reality it’s your 3rd party hosting provider, and not your actual product, that is compliant
  7. You cannot articulate specific methods you use to ensure your product is developed with security in mind, and I’ve heard every platitude so don’t go there
  8. You continue to say SSL instead of HTTPS
  9. Your transport layer hygiene is unsafe (bad cipher suites, Symantec certs, certs on the brink of expiration)
  10. FTP

Vendors: it is time to look in the mirror and stop paying lip service to security. If you can’t source the competencies you need to deliver a secure product, you need to go out of business before you hurt someone.

Customers: set your expectations high. When you buy a company’s product, you are buying their vulnerabilities. You have to know what those are before you commit to them.