We're trying to choose a website security service provider to secure our sites, as we don't have the in-house expertise...
(or budget) to do it ourselves. Can you make any recommendations on what companies should look for in such services?
Ask the Expert
SearchSecurity expert Michael Cobb is standing by to answer your enterprise application security and platform security questions. Submit them now via email. (All questions are anonymous.)
Securing a website requires specialist knowledge, so you're right to outsource the job if you don't have the necessary skills in-house. Ideally, you want a firm or individual who can not only find weaknesses in your applications, but also provide recommendations and assistance on how best to remove or mitigate them. The main problems usually occur in input validation, authentication and session management, while poor system and application configuration can also leave a site vulnerable to attack. These vulnerabilities can be uncovered through code reviews, vulnerability assessments and penetration tests.
The company you choose should be able to demonstrate a knowledge of security best practices, as well as an understanding of regulations specific to your industry -- for example, the requirements of the Payment Card Industry Data Security Standard (PCI DSS) for e-commerce sites doing their own payment card processing. The security team should also be experienced in the programming languages used to develop the site, as well as any frameworks used. Knowledge of mistakes inherent to a particular language or framework is essential to eradicate obvious flaws that can lead to well-known and exploitable vulnerabilities in a live site.
It is important to ask to see endorsements from previous clients, and never consider any firm that does not have established service-level, code of conduct and confidentiality agreements that clearly set out its obligations and responsibilities and detail how it will safeguard your data and the inside knowledge gained about your sites. Don't take marketing claims at face value either; always ask to see the qualifications and examples of the competence of those who will actually be assigned to work on your sites. You don't want to pay for the knowledge of the head consultant, only to find someone using your site for training purposes.
There is a variety of IT security qualifications to look out for; the most widely recognized are from the Information Systems Audit and Controls Association and the International Information Systems Security Certification Consortium. Microsoft also offers certifications covering the secure administration of sites using their products.
Check that any pen tests will follow the Open Source Security Testing Methodology Manual (OSSTMM), as it details how a security test should be carried out and includes acceptable-practice guidelines. There are various organizations that provide standards and certifications for penetration testers, including the Council for Registered Ethical Security Testers, or CREST, Mile2, and Tiger.
Finally, it's important that any feedback provided by third parties is seen by staff as additional support, not as criticism of their own skills. Most important, though, is that reports and recommendations are acted upon quickly, so that vulnerabilities are closed before hackers can exploit them.
Dig Deeper on Web Application Security
Related Q&A from Michael Cobb
SandJacking, a new iOS attack technique, uses an XCode certificate flaw to load malicious apps onto devices. Expert Michael Cobb explains how the ...continue reading
Oracle has moved from using a modified version of CVSS v2.0 to CVSS v3.0. Expert Michael Cobb explains criticism of the old version, and the changes ...continue reading
QuickTime for Windows was found to have two zero-day vulnerabilities, and was then suddenly moved to end of life by Apple. Expert Michael Cobb ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.