Eyeballing the Security of Application Service Providers
Jeremiah Grossman, founder and Chief Technology Officer of WhiteHat Security, gives advice on vetting Application Service Providers to ensure security for your business.
I recall reviewing an ASP that had a very robust business continuity plan that included having helicopters supply diesel for its generators if trucks could not get through. Yet, it ignored s serious physical security vulnerabilities. We drove around its parking lot three time and later learned that no one was watching the cameras. We pointed out that a four-wheel drive vehicle could easily drive up the steps to its front door, smash though it and into the lobby. If it keep going,the vehicle would break through the wall of the computer room. The local fire regulations required a floor plan of the site be posted in the building lobby which was open to anyone who walked through the front door. Snap a picture of the floor plan on your camera phone and you had a record of everything's location.
In general, I found that ASPs were quite weak on documentation. Ask them if they can show you evidence that they ever had security awareness training for their staff. It's very unlikely.
Personnel security is another weak area where again documentation is either not available or they will not share it.
While some aspects of ASP security can be tested as the author suggests, others are much harder to come by.
Eyeballing the Security of Application Service Providers
Jeremiah Grossman, founder and Chief Technology Officer of WhiteHat Security, gives advice on vetting Application Service Providers to ensure security for your business.
» View Article
I recall reviewing an ASP that had a very robust business continuity plan that included having helicopters supply diesel for its generators if trucks could not get through. Yet, it ignored s serious physical security vulnerabilities. We drove around its parking lot three time and later learned that no one was watching the cameras. We pointed out that a four-wheel drive vehicle could easily drive up the steps to its front door, smash though it and into the lobby. If it keep going,the vehicle would break through the wall of the computer room. The local fire regulations required a floor plan of the site be posted in the building lobby which was open to anyone who walked through the front door. Snap a picture of the floor plan on your camera phone and you had a record of everything's location.
In general, I found that ASPs were quite weak on documentation. Ask them if they can show you evidence that they ever had security awareness training for their staff. It's very unlikely.
Personnel security is another weak area where again documentation is either not available or they will not share it.
While some aspects of ASP security can be tested as the author suggests, others are much harder to come by.
Dirty Tricks: Social Engineers' Favorite Pickup Lines
Tabletop Exercises: 3 Sample Scenarios
19 Ways to Build Physical Security Into Your Data Center
Get instant notifications when whitepapers, webcasts and case studies are added to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
» More blogs
CSO Perspectives
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
Trend Micro ranked #1 against real-world malware. Read more.
64-page prescriptive guide to security, compliance, and IT operations.
Removing Barriers To Better Server Virtualization Efficiency
Mining for Gold: Cybercrime Prevention and the Role of Log Management
The Executive Guide to Data Loss Prevention
Organizations can spend up to 50% more on compliance efforts than necessary.
White Paper: A Security Blueprint Delivered From within the Network
Read the RSA report: Security for Business Innovation
Upgrading to VMware vSphere with vWire
Explore the increasing importance of log management as cybercrime threats grow.
The Tripwire HIPAA Solution: Meeting the Security Standards Set Forth in Section 164
Implementing Best Practices for Web 2.0 Security
Five Ways to Reduce Your IT Audit Burden
THE IDG NETWORK