We're trying to choose a website security service provider to secure our sites, as we don't have the in-house expertise (or budget) to do it ourselves. Can you make any recommendations on what companies should look for in such services?
Ask the Expert
SearchSecurity expert Michael Cobb is standing by to answer your enterprise application security and platform security questions. Submit them now via email. (All questions are anonymous.)
Securing a website requires specialist knowledge, so you're right to outsource the job if you don't have the necessary skills in-house. Ideally, you want a firm or individual who can not only find weaknesses in your applications, but also provide recommendations and assistance on how best to remove or mitigate them. The main problems usually occur in input validation, authentication and session management, while poor system and application configuration can also leave a site vulnerable to attack. These vulnerabilities can be uncovered through code reviews, vulnerability assessments and penetration tests.
The company you choose should be able to demonstrate a knowledge of security best practices, as well as an understanding of regulations specific to your industry -- for example, the requirements of the Payment Card Industry Data Security Standard (PCI DSS) for e-commerce sites doing their own payment card processing. The security team should also be experienced in the programming languages used to develop the site, as well as any frameworks used. Knowledge of mistakes inherent to a particular language or framework is essential to eradicate obvious flaws that can lead to well-known and exploitable vulnerabilities in a live site.
It is important to ask to see endorsements from previous clients, and never consider any firm that does not have established service-level, code of conduct and confidentiality agreements that clearly set out its obligations and responsibilities and detail how it will safeguard your data and the inside knowledge gained about your sites. Don't take marketing claims at face value either; always ask to see the qualifications and examples of the competence of those who will actually be assigned to work on your sites. You don't want to pay for the knowledge of the head consultant, only to find someone using your site for training purposes.
There is a variety of IT security qualifications to look out for; the most widely recognized are from the Information Systems Audit and Controls Association and the International Information Systems Security Certification Consortium. Microsoft also offers certifications covering the secure administration of sites using their products.
Check that any pen tests will follow the Open Source Security Testing Methodology Manual (OSSTMM), as it details how a security test should be carried out and includes acceptable-practice guidelines. There are various organizations that provide standards and certifications for penetration testers, including the Council for Registered Ethical Security Testers, or CREST, Mile2, and Tiger.
Finally, it's important that any feedback provided by third parties is seen by staff as additional support, not as criticism of their own skills. Most important, though, is that reports and recommendations are acted upon quickly, so that vulnerabilities are closed before hackers can exploit them.
This was first published in November 2013