Security auditor gets sued

Date June 3, 2009

I don’t think all that many people consider this when working as an external security auditor/tester/consultant, but something that worries me and sometimes keeps me up at night is knowing that you’ve “done enough” and “looked at and tested the right things, fully” on a particular engagement – especially when they are time-boxed (like most engagements are).

If you are working for a product company and testing your own software and “miss” something, then that’s ok – it’s your own (well, your companys) ass, and hopefully there’s enough controls on the process that someone, somewhere, will catch the most glaringly obvious issues.  You fix it, absorb the loss (if any), and make sure you don’t do it again.  When you are being paid to provide that service externally and also companies are relying on you to ensure security (another issue all-together – simply passing on that responsibility is madness IMO) you have to get it right.

I’m surprised it’s taken this long, but a security (PCI) auditor is being sued for giving the thumbs-up to a company that turned out to be (very) vulnerable.

Now, there’s a lot of squirming PR from the PCI council that every company that was breached and just so happened to have compliance were in-face not in compliance at the time of the breach.  However, what, if to really make it simple, I tested a site and later it was hacked through some SQLi and the client said that they hadn’t update the code or anything so I should have found that vuln.  Obviously, all services consultancies have some legalize in their statements of work that cover them for this (if not, there’s a huge hole waiting for you to fall into), as it’s impossible to “prove” anything is “secure”, but what protects that from happening.

At the moment, I think the only things we have are methodologies/checklists (so we know what was looked at and have a “minimum level of inspection”), some “best practices” (that most of the industry seems to agree on, so we should be looking/testing/advising on them), the professionalism of the people doing the work (goes without question), and reputation (which you don’t want to lose – either individually or as a company as your ability to get future employment/work/contract will certainly suffer).

Are there things that we can do to assure that the assurers (auditors, security consultancies) are doing their job right?  Do we have the same worries with accountants, CPA’s, and people that help you with your taxes?

Rich at Securosis (when those guys post, it’s so insightful it often triggers my own thoughts and a post – it’s been quiet for me from them for a while, but they are back on all cylinders now :) ) has posted some of his thoughts up on how to make the PCI audit process better, but I think looking at the accounting professionals might be a way to go.  After all, aren’t they doing a similar job as we are doing (approving the state of a company and that there’s no “lying” going on), and they have just as much “wiggle-room/fuzziness” (although numbers are numbers, and much easier to quantify and prove than software and computer systems).

I think we’re going to have to go that way at some point, and perhaps more and more security auditors will get sued in the process.  Privately I’ve said quite a few times that the only two things that might shake the security industry on it’s head both being with ‘L’ – Legislation or Litigation – and now we are seeing both.

Category Posted in Uncategorized


Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>