Lack of Reasonable, or Everything That Is Wrong with Security Requirements

Show Notes

How do you determine what constitutes "reasonable security" when evaluating vendors? Is “reasonable” a measure of compliance to a set standard? Is it reasonable to expect mature threat modeling practices? Some expectations are too high to be reasonable, but the minimum standard that both parties agree upon doesn’t seem like enough.

Join the hosts of the Security Table as they discuss the importance of a reasonable security standard, one that both a vendor and the buyer can agree upon.

Izar bemoans the vetting process for software vendors that can be overburdened with paperwork and checkboxes, but still lack confidence in a product’s security. Can we do better? He asks Matt and Chris what information or assurances vendors can reasonably provide to convince buyers that they truly understand and prioritize security.

Chris proposes evaluating people, process, tools, and governance as a starting point. Matt raises concerns about needing to satisfy the concerns of the end customer and internal teams and leadership. Threat modeling is proposed as a basic starting point. But, is threat modeling just a bare minimum, or is it the reasonable standard both sides of the discussion can be happy with?

The team discusses the importance of seeing the pipeline of any product being considered. 

What is reasonable? A threat model, documentation of that model, and an invitation to read and ask questions about the described process. The threat model needs to cover what and how software is built, as well as deployment into production. That is enough. That's reasonable. Is the team’s conclusion reasonable? Listen along, and watch for the upcoming discussion on LinkedIn.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!