A couple years ago I had a discussion with an acquaintance regarding the security of his company's Web application. The gentleman told me that quite often prospective customers would ask them whether they had done any penetration testing. His canned response was essentially: rather than go down that road, we moved our application to a Tier 3 data center that was SOC-audited. Apparently that “remedy” sufficed for prospects who are concerned about the security of this company's cloud application/environment.
Fast forward to today and I still hear individuals and business proudly proclaiming the great security surrounding their Web applications and cloud environments – all because they're in this amazingly-equipped data center and have an audit report showing that most things are in check. The neat thing is, I've had the opportunity to dig into these SOC audit reports (namely SOC 1 Type II) to get to the bottom of just how secure these applications and systems really are.
These reports go into a fair amount of detail regarding physical security, change management, system monitoring, data backups, and the like – no doubt core security controls and processes to have in place for a well-rounded information security program. But where are the technical details? I want to see the vulnerability scan and penetration test results showing the rest of the story. Show me the missing patches, weak passwords, and SQL injection waiting to be exploited for ill-gotten gains. The reality is, they're not there. This is no fault of the AICPA or the auditors performing these audits. They're valuable and most certainly have their place. It's just that such technical details normally uncovered by proper vulnerability scanning and penetration testing are not what these audits are intended to uncover. Therein lies the problem.
My real beef is in the misconception that a resilient data center and associated processes translates into secure servers and Web applications. Can someone please tell all the businesses relying on these audits that the devil is in the details – the details that are absent from the very reports they're reading and relying upon? Perhaps the marketers and salespeople creating this misconception can be brought into the discussion as well.
I don't know what you call this other than marketing hype not unlike all the love for “cybersecurity” we've seen emerge this year – it's smoke and mirrors on one end of the conversation and a false sense of security on the other. The very people who think they're making educated decisions are, in fact, deciding without knowing all the facts. People believe that just because they're making some sort of quantifiable effort towards information security – i.e. by saying “Look, the data center passed the audit!” and we have all these great policies to back things up – then all is well. It doesn't work that way. It's dangerous for business and everyone along the supply chain.
Spread the word around: unless and until these people have also looked at the technical security flaws of their systems via penetration testing or whatever they call it, they absolutely, positively have not done the proper due diligence that their business deserves. It's merely a matter of time before something in the other half of the equation gets exploited and the next big breach occurs.