nGenuity

My friend Creeva posted about Free Software on Craigslist – Should You Trust It? He states,

I’m just trying to point out that there is no such thing as a more trustable anonymous source. It would be easy to compromise a computer by offering free software on Craig’s List and manipulating it before handing it out.

This got me thinking that even free (or commercial) software from what appears to be a reputable provider should be approached with caution. What about a legitimate company trying to get people interested in their software? Should people be skeptical of those sources as well, they are not anonymous? Absolutely they should. So as a software company or software as a service provider (there are so many web applications spring up these days) how can they make their product more trustable and appealing to wary consumers?

Promise & deliver:

Build trust with your customers by making promises and keeping them while exceeding expectations. Sound easy right? Well then do it, put in the hard work to make it happen. It won’t happen overnight and it will happen by some people taking the leap of faith with your brand and products. Make sure those customers love you and your product. Make sure whenever they tweet, dent, blog, whatever about their experience that it will be positive.

Take your lumps:

Let customers provide transparent feedback to your services on your website. People like to trust the input from other people. Take the good with the bad and  allow customers to complain or rave about your product.  Once you get over being upset that they complained, fix the problems they had, make it better and tell the world.

Get a security assessment already:

Pimp your third party audit results, even if you did bad. First of all this means that you have to get your product assessed. Do so by selecting a vendor in your market space that has experience and their word will lend credibility to your brand. If you did bad on the audit tell the world how you will change. Every software product has security vulnerabilities (yes every one d0n’t let those crafty vendors fool you and don’t be one yourself), what you need to be able to explain and demonstrate is that you care enough to do whatever it takes to respond and handle those issues as best you can. Keep this promise at all costs.

I have been asked many times why I spend so much time and effort hunting for security flaws in software. I make no money off the vulnerabilities that I publish in my free time and the companies that fix these flaws get essentially free quality assurancee testing done. Some people think that it is to harm the other company or tarnish their reputation. This could not be further from the truth. nGenuity practices responsible disclosure and works with vendors to fix security flaws before the details get published.

So what do I get out of doing this work and more importantly, what do you get?

Skills Dissipate

Since leaving Symantec to start nGenuity I find I don’t have as much time to do security assessment work  as I used to, something I really enjoyed. To ensure that my skills do not atrophy I seek out software vulnerabilities and ways to improve my methods of finding and fixing them.

Credibility

Does an I.T. company that doesn’t know how to find and identify vulnerabilities in systems and software really know how to secure your network and protect your data? Publishing vulnerabilities and helping companies secure their software and systems helps nGenuity demonstrate that we have an in-depth understanding of security issues. Better yet, you know that we are going to be able to help you secure your environment better  than than your neighborhood computer guy that will sell you a product and tell you that you are “secure.” I know this sounds like a sales pitch, but its something to really think on the next time your I.T. company tries to talk to you about security and rambles on about simply purchasing products. There is a lot more to it than just installing patches, anti-virus and backups. It’s about the entire process, the security life cycle of your business.

The Ah-Ha Moment

Many businesses don’t understand they have security problems until they have either been affected by them or are shown just how vulnerable they are. If I can demonstrate to you how I can take over your website, siphon confidential data from your network or make your point of sales systems unavailable it is easier to see just how security issues will cost your business money. Without these ah-ha moments unknown vulnerabilities remain unknown business liabilities.

In the end if the vendor has improved their software, then my customers data and brand is more protected and I’ve had opportunity to continue refining my skills, I would call that a win-win for everyone.

When I spoke at Learn About Web 2008 something I tried to convey was the importance that your audience feel secure in your environment. When developing your business consider using the hard work you have put into protecting it and the genuine effort you put forth protecting client data as a marketing tactic. Again, this only works if you actually put effort into developing your security program.

Using items like trustmarks (recognizable representations of some type of effort, service, or guarantee), privacy policies, and appropriate copy in the material your customers receive and your employees are subjected to allows a subtle and controlled feeling to be delivered. Should you get this message wrong your customers and employees might just feel like the below cartoon by Scott Stantis.

Many businesses are turning to Voice over IP (VOIP) to reduce overhead. Just like many other technologies VOIP (or any other phone system) adds additional risk to your business that you may not be aware of. Phone systems today (as they have been for a while) are just computer systems and must to be considered in the overall security strategy of your business. Left out, their software becomes outdated, passwords become stale, and the potential for loss increases.

Consider the following example where a 4 digit password protected the phone system from outside attackers. How would your business react to a $52,000 phone bill (plus the lost time dealing with the phone company).

http://www.winnipegfreepress.com/local/hacker_makes_costly_calls.html

Remember:

• Change your voice mail password just as often (or more often because it is shorter) than your computer passwords.
• Check for firmware and software updates for your telecommunications equipment just like you do for your computer systems.
• Review the agreement between you and your VOIP / Telco provider to ensure that charges can be disputed should your system be compromised.
• Have your system audited by professional as part of your yearly system maintenance.