Security Product Assessments
ACM.147 Posts by Teri Radichel on security assessments for security products, vendors and supply chains
Part of my series on Automating Cybersecurity Metrics. The Code.
Free Content on Jobs in Cybersecurity | Sign up for the Email List
In my last post I wrote about multi-session compromise in a scenario where you’ve separated the duties of who can create users and who grants them access.
At the end I mentioned that perhaps we could consider a third-party tool to manage the users separately from the cloud environment itself. There’s a few reasons why this would be beneficial, which I’ll cover in the next post. I’ve been considering a particular vendor for a while but never really had time to test the product out, but I’m going to be doing that now. Yes, I’m veering away from the final implementation I set out to write again, but my recent discoveries are a bit too concerning to ignore. I want to see if a third-party identity provider (IdP) could help in this scenario — or if it will make security even more challenging.
I’ve written a few posts now on security product assessments which are listed at the bottom of this post. One of drivers for these posts is that company keep asking me to promote or market their products or “take a look” to see what I think of it. I simply don’t have time. On that note, vendors are better off not sending me emails I didn’t request introducing their products if they don’t want to get reported as spam. Alternatively, I will not report your emails as spam if you hire me! :) Some vendors have and I appreciate that very much.
Even in those cases where I did take a look for free or on my own time, I literally just looked at the product. I didn’t truly assess it. I don’t have time and cannot afford to fully assess a product for free, unless it is something I happen to be considering using myself. I also do not work in a marketing capacity for vendors. I will provide an honest assessment if they pay me to do so. A “demo” of your product doesn’t really tell me anything. I have to sit down and read the documentation, deploy it, use it, poke around at it, possibly reverse-engineer parts of it to understand potential security gaps, and ask questions to perform an assessment.
I did sit down for a demo of a few products for friends in very limited cases. The people were in my Seattle AWS Meetup (which I hope to revive in some capacity pretty soon — I just have one other project to complete). One of those was a company called Cloud Neeti which ended up getting purchased by Zscaler. When I saw the product, I patted the founder on the arm and said, “Remember me when you’re famous” because it looked really good. I can’t speak to the inner workings of it or where it stands now but it would be a nice security scanner for companies trying to assess their configurations in cloud environments.
I didn’t spend more time on it because that product wouldn’t work for me. I have to assess other company’s cloud environments, and I host some information in AWS or sometimes Azure or GCP depending on the assessment, but I have a bit more control of the data than I would in a SAAS platform. Therefore, I don’t use them.
Also, at the time the product was maintained by 23 people in India, which is a pretty small number for all that data containing company vulnerabilities, potentially. But the product concept was excellent and I’m sure they have more support for proper security at Zscaler now.
What products do I assess on my own time without a paid assessment? Products I would consider using for my particular business. And I’m going to go through how I assess a product I’m considering using in my next few blog posts. You’ll see why I can’t do this for everyone for free. And also, I have limited access to what I would need to truly assess the product because I cannot interview their staff and perform a full-on assessment. So even this assessment I’m going to show you is somewhat limited.
Follow along to see how I assess the product from an external technical standpoint in the next few posts by simply trying out the product. This is not going to include a process or compliance assessment which would include things like interviews covering how they manage development systems and possibly a review of their IAM and network implementation and a vulnerability scan, depending on the scope. But you will see some of the things I look into when trying out a product and threat assessment considerations.
Also, by the way, no one person or company is going to find every problem in a single assessment or penetration test. Just look at the number of vulnerabilities and problems announced daily — some of which lead to data breaches. But I’ll do my best with the free time I have to cover some basic considerations.
2nd Sight Lab provides product security assessments for cloud-based products. Reach out to Teri Radichel on LinkedIn if you need help with a cloud security product assessment.
https://linkedin.com/in/teriradichel
I was exploring using PFSense in front of Ubiquiti in some of my networking posts — a project I still need to finish.
The other posts in this series are found in my network security posts:
Follow for updates.
Teri Radichel | © 2nd Sight Lab 2023
About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight LabNeed Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for PresentationFollow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab