SBN

Is Vulnerability Management a buzz word?

Some days ago, on a Facebook.com group about Italian startups, a smart guy said
he had a breakthrough product he is going to develop: a cloud based solution to
store people sensitive health-related information.

As a wise appsec guy I asked him something about how is going to protect
customers’ data.

Something we have: a physical device

Lombardia, the Italian region around Milan, Bergamo, Brescia and so on, uses a
smartcard and a centralized datacenter to make all doctors and hospital in its
territory to share the health history for a given person.

The smartcard is bounded to each physical person and it is also the assigned
code for fiscal related issues. This to say, that every person has a different
code and then a different smartcard.

People, can ask a personal PIN to unlock data contained in the smartcard and
either access to the centralized datacenter information about their medical
history.

We consider it a strong and a secure system by now, it’s out of scope
today. We just want to notice that Lombardia already has in production that
guy’s idea execpt for the cloud part.

Something we don’t have: the cloud

Cloud… when I see this word in slideware I feel myself like after a strong
kick on the stomach. Cloud is by definition a place somewhere on the Internet
that we can threat as a huge mass storage system.

It’s not important neither the operating system, the database running or how
many machines are running a particular service. It’s the cloud, baby.

gmail.com stores your email in the cloud. This means that they are physically
stored somewhere in Mountain view Google datacenter, but also in India,
Pakistan, Italy, France, Alaska… yes we can continue.
gmail.com security relies on the security of the web application people use as frontend.

There is of course physical security and data would be ciphered but, we can’t make
for sure that every single machine in google.com cloud has the same patchlevel,
the same releases for software and database, the same hardware configuration,
the same perimetral security (firewalls, web application firewalls, biometrical
access to the server farm, password policy).

Mails are sensitive information but health data is even more. Out of scope by
now all laws about privacy and data jurisdition that makes the idea illegal in
most countries. We focus the discussion over the clous and its security level

An appsec guy would ask

I write my doubts in a polite and constructive way. I don’t want to kill other
people ideas, but I can figure it out why on hell a person would be fine
publishing on the Internet his health related sensitive data.

I asked which kind of security features would this startup proactive implement
in order to secure those data. I asked which kind of vulnreability management
policies they would adopt, which tool of vulnerability assessment they would
use, which secure coding guidelines, how much often they would perform code
reviews and similiar questions.

I putted in doubt that “in the cloud” was used there as buzzword just to
describe something that it is supposed to be cool. Another guy, I suspect he
owns a company providing cloud based services, said to me that “Vulnerability
management” is either a buzzword and security would be the core business for
the company providing cloud services for that startup.

No technical details. No further comments. Thread is dead from my point of view.

The key point is that cloud is a word spent during pre sales but you must take
really care about how strong is your security policy when you put data in the
cloud.

Vulnerability management is a process in place to take care about
vulnerabilities and the risk level associated with them. I think it’s a real concern.

And you? What do you think about it? Is Vulnerability Management a buzz word?

photo courtesy by Wikipedia

*** This is a Security Bloggers Network syndicated blog from armoredcode.com - the application security blog that gets the job done authored by Paolo Perego. Read the original post at: http://armoredcode.com/blog/is-vulnerability-management-a-buzz-word/