Thats right, we said it... software developers are lazy!
Why such strong words for the creative minds that make the amazing applications that run all of our business operations, and even make our personal lives better? Simple - software developers are very creative when it comes to developing, but very lazy when it comes to securing the application they develop.
We deal with multiple software vendors and developers on a daily basis for our clients. There are some that are very good to work with and completely get the comprehensive approach of not only developing a great application but also insuring that it is secured as well. Unfortunately there are also quite a few that leave MUCH to be desired on the security side. The risk to your organization is that the software developer puts the responsibility of securing your environment on your shoulders.
What do we mean by this? At least once a week we deal with a software vendor that for either support or for every day access, requests that we open up firewall ports directly to their application. The worst offenders are the ones that request that Remote Desktop Connections be allowed through the firewall. As an end-user most people just want it to work. They don't necessarily understand or care what the security risks are. They just need access to the software or application and the vendor is telling them that it just needs to be opened up through the firewall.
The software vendor wants the least path of resistance, so instead of worrying about securing the environment, they just tell the client to open up the ports in the firewall. To put this in perspective, this would be like your cable tv provider just telling you to leave your front door open so that they can run the cable on the floor through your open door to the TV because the service is great and thats the fastest way to get it to work. And in the case of Remote Desktop Connection, it would also mean that you not only leave the front door open to the house but also leave your wallet on the TV so that its easier for the cable guy to take his payment. You would never do this with your house! So why do so many business owners and managers just openly agree to leave their technology wide open like this? Simple - they don't know the risks and they don't have a process to regularly evaluate and address their risk and liability when it comes to the technology in place .
So What Should You Do?
- First of all you need to make sure you have a security policy in place that all of your employees, contractors, and partners agree to and sign.
- Never agree to "Just open up these ports on your firewall" without knowing exactly what they affect and how you secure those
- Never agree to let a vendor make changes to your security or firewall without knowing exactly what it affects.
- Never assume your software vendor has your best interest in mind when it comes to securing your environment. Quite often their interest is in the easiest and fastest way to get off the phone with you and your issue.
- Always get complete documentation of any requests or changes in your environment in writing and ask questions if you don't understand
- Finally you MUST have a process in place to regularly evaluate the security and the related risks and liability you have in regard to your technology. It is almost guaranteed that the security you put in place when your firewall was originally installed is not the same as it is today nor are your needs the same.
If any of the items we have described sound like something you have gone through internally and you don't have a trusted technology partner or just want a second opinion - we would be more than happy to just provide our recommendations regardless of if you are a customer of ours. Just drop us a line below;