The interconnection between major organizations and their many service providers is providing a successful, and often ignored, path through which attackers are penetrating large well-protected targets such as the Office of Personnel Management and Target. In both of these examples, the breaches were enabled through an earlier successful breach of one or more of their divisions or suppliers. While partners and vendors are an important part of the technology and service ecosystem, their security postures and policies are often opaque, leading to significant vulnerabilities.
Recognizing this weakness, security leaders from 10 major companies have come together in an effort to provide recommendations on developing more transparent security information sharing relationships between firms who find themselves similarly interconnected and interdependent with suppliers. They are advancing a framework through which the security of product and service providers can be more consistently assessed.
The organization is the Vendor Security Alliance (VSA), and its contributors include Uber, Twitter, Palantir, Atlassian, and others. Their first deliverable, a security questionnaire designed to raise and discuss these topics with vendors, was delivered on October 1, 2016.
The questionnaire is sizable, consisting of an introduction to its purpose, six sections of questions addressing concerns around data protection, security policy, preventative and reactive measures, supply chain management and compliance and a glossary of terms that can help to clarify some of the language in the earlier sections. The information is delivered through a series of content pages and a combined spreadsheet that can act as a checklist and review artifact.
Overall, my first impression of the VSA questionnaire is that it asks meaningful and critical questions that need to be consistently discussed with partners and suppliers. As this questionnaire evolves and includes content to make the purpose of this exercise clear to a broader audience of readers the impact of the questionnaire will become significant.
Larger organizations will already understand the need for this information, and will benefit from this current format, but less advanced readers will probably struggle. As an example, in the introduction, the authors recommend that readers assess the priority of their security investments, based on each kind of data they are sharing and each vendor they are working with. This is good advice, but less sophisticated readers won’t know how to set those levers or where to look for balance.
In its first version, this document doesn’t educate visitors on the reasons behind the selection or organization of areas to investigate, and there is no guidance on what the range of acceptable answers should be. Some readers will need this background because there are few security managers in smaller firms with the expertise of these contributors, and they will not immediately understand the purpose or priority of many of the questions. In those cases, collecting this survey information won’t serve a real purpose and could provide a sense of comfort when none is warranted. In future versions, the rationale behind the various questions would better equip VSA questionnaire users to balance their need for security with the right attention to these many elements.
The questionnaire also recommends that vendors be asked for security tests, plans, and strategies in areas like software development, incident response, and active security testing. The VSA is providing real value simply by empowering readers to feel justified in asking for these documents, and a good outcome will be that vendors begin to expect these requests and will document and execute their security strategies appropriately. As with some of the technical questions, some more background would be very useful. Examples of good plans or pointers to some educational materials on their purpose and formulation would add significant value for those readers with limited knowledge on the topics.
In the context of improving the actual questionnaire, defining expectations for these reports could include an additional level of detail. For example, does the vendor’s penetration testing plan exercise all of the interfaces that the organization relies on? Is the software security development policy applied in some way to evaluate older applications that may be important but not under active development? Does the incident response plan include public relations expenses and efforts? In reviewing these partner plans, the details of the rigor and outputs are what will determine their impact, and readers may lack the expertise of these authors to judge when enough is enough.
I think this team of volunteers is doing a great service to the market by sharing their knowledge and concerns in this format. Given the security skills shortage in the market, it is likely going to take a couple more versions, with more supporting background information and education on reasonable expectations, before this questionnaire begins to improve the security performance of vendors and the companies that rely on them. In the short term, examples of successful survey responses, anonymized if necessary, will provide good direction for early adopters.
These organizations have taken on a challenge with a very broad scope. At some level, almost all disciplines in security are either explicitly or implicitly examined in defining responsibilities between vendors and client. If others can dedicate the time, and have the experience, even if only to develop content or recommendations in a specific area, I encourage them to contact the VSA team and volunteer. There is plenty to be done.