The Anti-Checklist Manifesto
Offered By: 44CON Information Security Conference via YouTube
Course Description
Overview
Syllabus
Intro
The Anti-Checklist Manifesto Thoughts On Assessing Third Party Risk
Chances are, a business team set the deliverables The legal team discussed the contract terms Only then did the compliance and infosec team get brought in Odds are, engineering wasn't consulted at all
What Is To Be Done?
Ask questions. Up front.
A preliminary security speed bump at the start of a bake-off can prevent teams from wasting their time.
Speed bump. No more than 10 questions.
To work, these questions must be simple, and proxies for Security'.
Do you encrypt all our data in transit, and at rest within your systems? Are all our data segregated from other customers' data?
Please describe the architecture and segregation of customer data within S3 buckets/blob/etc storage.
Describe your internal authentication regime.
Please describe how you maintain least-privilege in your environments.
Do any of your internal systems use static credentials? How do you audit their use?
How do you manage secrets in your production and non-production environments?
Do you have a named executive responsible for security? What is their title, and to whom in the organization do they report?
Do you have written information security, data security, encryption, acceptable use, and physical security policies?
Does your company require all engineers to undergo regular secure coding training?
PISA: security questions before a bake-off. You still need DD- this just disqualifies providers. SOC2 is not a free pass [butland] Lack of SOC2 isn't a disqualifier (Use VSA Core) Seek sensible answers Stop the Spreadsheet Cat Rodeo.
Taught by
44CON Information Security Conference
Related Courses
Supply Chain Unchained - How To Be A Bad SaaS44CON Information Security Conference via YouTube Aviation Security 101
44CON Information Security Conference via YouTube Why Are We Still Doing Authentication Wrong?
44CON Information Security Conference via YouTube What Do Hackers See When They Look at the Clouds
44CON Information Security Conference via YouTube Why Security-as-a-Feature Will Never Happen
44CON Information Security Conference via YouTube