If you are a software or solutions provider and you fail any of the following conditions, we are not doing business. I’ve seen enough.
- Your public website, or worse – the web server used for your application – gets an F on securityheaders.io
- Your product has no provision for 2FA, or the only 2FA provision is SMS
- Password rules and “security questions” that haven’t changed since the Clinton administration
- Your application re-skins a browser and removes the UI elements I train my users to look for to protect themselves, like an HTTPS URL and the padlock icon, and the means to manually evaluate a certificate for authenticity
- Your application bakes in old third-party dependencies (like an ancient version of jquery or MySQL) that have active CVEs
- You assert that your product is [insert compliance here] but in reality it’s your 3rd party hosting provider, and not your actual product, that is compliant
- You cannot articulate specific methods you use to ensure your product is developed with security in mind, and I’ve heard every platitude so don’t go there
- You continue to say SSL instead of HTTPS
- Your transport layer hygiene is unsafe (bad cipher suites, Symantec certs, certs on the brink of expiration)
Vendors: it is time to look in the mirror and stop paying lip service to security. If you can’t source the competencies you need to deliver a secure product, you need to go out of business before you hurt someone.
Customers: set your expectations high. When you buy a company’s product, you are buying their vulnerabilities. You have to know what those are before you commit to them.