Security Product Assessments
ACM.147 Posts by Teri Radichel on security assessments for security products, vendors and supply chains
Part of my series on Automating Cybersecurity Metrics. The Code.
In my last post I wrote about multi-session compromise in a scenario where you’ve separated the duties of who can create users and who grants them access.
At the end I mentioned that perhaps we could consider a third-party tool to manage the users separately from the cloud environment itself. There’s a few reasons why this would be beneficial, which I’ll cover in the next post. I’ve been considering a particular vendor for a while but never really had time to test the product out, but I’m going to be doing that now. Yes, I’m veering away from the final implementation I set out to write again, but my recent discoveries are a bit too concerning to ignore. I want to see if a third-party identity provider (IdP) could help in this scenario — or if it will make security even more challenging.
I’ve written a few posts now on security product assessments which are listed at the bottom of this post. One of drivers for these posts is that company keep asking me to promote or market their products or “take a look” to see what I think of it. I simply don’t have time. On that note, vendors are better off not sending me emails I didn’t request introducing their products if they don’t want to get reported as spam. Alternatively, I will not report your emails as spam if you hire me! :) Some vendors have and I appreciate that very much.
Even in those cases where I did take a look for free or on my own time, I literally just looked at the product. I didn’t truly assess it. I don’t have time and cannot afford to fully assess a product for free, unless it is something I happen to be considering using myself. I also do not work in a marketing capacity for vendors. I will provide an honest assessment if they pay me to do so. A “demo” of your product doesn’t really tell me anything. I have to sit down and read the documentation, deploy it, use it, poke around at it, possibly reverse-engineer parts of it to understand potential security gaps, and ask questions to perform an assessment.
I did sit down for a demo of a few products for friends in very limited cases. The people were in my Seattle AWS Meetup (which I hope to revive in some capacity pretty soon — I just have one other project to complete). One of those was a company called Cloud Neeti which ended up getting purchased by Zscaler. When I saw the product, I patted the founder on the arm and said, “Remember me when you’re famous” because it looked really good. I can’t speak to the inner workings of it or where it stands now but it would be a nice security scanner for companies trying to assess their configurations in cloud environments.
I didn’t spend more time on it because that product wouldn’t work for me. I have to assess other company’s cloud environments, and I host some information in AWS or sometimes Azure or GCP depending on the assessment, but I have a bit more control of the data than I would in a SAAS platform. Therefore, I don’t use them.
Also, at the time the product was maintained by 23 people in India, which is a pretty small number for all that data containing company vulnerabilities, potentially. But the product concept was excellent and I’m sure they have more support for proper security at Zscaler now.
What products do I assess on my own time without a paid assessment? Products I would consider using for my particular business. And I’m going to go through how I assess a product I’m considering using in my next few blog posts. You’ll see why I can’t do this for everyone for free. And also, I have limited access to what I would need to truly assess the product because I cannot interview their staff and perform a full-on assessment. So even this assessment I’m going to show you is somewhat limited.
Follow along to see how I assess the product from an external technical standpoint in the next few posts by simply trying out the product. This is not going to include a process or compliance assessment which would include things like interviews covering how they manage development systems and possibly a review of their IAM and network implementation and a vulnerability scan, depending on the scope. But you will see some of the things I look into when trying out a product and threat assessment considerations.
Also, by the way, no one person or company is going to find every problem in a single assessment or penetration test. Just look at the number of vulnerabilities and problems announced daily — some of which lead to data breaches. But I’ll do my best with the free time I have to cover some basic considerations.
2nd Sight Lab provides product security assessments for cloud-based products. Reach out to Teri Radichel on LinkedIn if you need help with a cloud security product assessment.
A Security Tool Won’t Save You
Please stop asking me which too to buy — ask me this instead…
Assessing Supply Chains ~ The People
When assessing potential products include a review of executives, technical staff, investors, and board of directors
Cybersecurity Assessments & Projects
How to get help with your your next cybersecurity initiative
I was exploring using PFSense in front of Ubiquiti in some of my networking posts — a project I still need to finish.
Ubiquiti Dream Machine Pro ~ First Impressions
Initial attempt to set up the device, use the phone app, and set up a VLAN
The other posts in this series are found in my network security posts:
Teri Radichel | © 2nd Sight Lab 2023
If you liked this story ~ use the links below to show your support. Thanks!
Clap for this story or refer others to follow me.
Follow on Medium: Teri Radichel
Sign up for Email List: Teri Radichel
Follow on Twitter: @teriradichel
Follow on Mastodon: @email@example.com
Follow on Post: @teriradichel
Like on Facebook: 2nd Sight Lab
Buy a Book: Teri Radichel on Amazon
Buy me a coffee: Teri Radichel
Request services via LinkedIn: Teri Radichel or through IANS Research
Slideshare: Presentations by Teri Radichel
Speakerdeck: Presentations by Teri Radichel
Recognition: SANS Difference Makers Award, AWS Hero, IANS Faculty
Education: BA Business, Master of Sofware Engineering, Master of Infosec
How I got into security: Woman in tech
Company (Penetration Tests, Assessments, Training): 2nd Sight Lab
Cybersecurity for Executives in the Age of Cloud on Amazon
Cloud Security Training (virtual now available):
2nd Sight Lab Cloud Security Training
Is your cloud secure?
Hire 2nd Sight Lab for a penetration test or security assessment.
Have a Cybersecurity or Cloud Security Question?
Ask Teri Radichel by scheduling a call with IANS Research.
More by Teri Radichel:
Cybersecurity and Cloud security classes, articles, white papers, presentations, and podcasts