What You Need to Know the Next Time You Read Another “Healthcare Security” Article

October 23, 2015
Kevin Lam
Data Breaches, Data Protection Fridays, Healthcare Security, Internet Security

Just read through this article called “Healthcare orgs fall short on software security” and had a couple thoughts to share. To start, I’ve been in penetration testing, application development security and research for over 15+ years now so I have a pretty close to the ground feel for these topics. The article recommends doing these, but I have some thoughts against these that might surprise you:

  • Penetration testing: I think this is a good way to get a snapshot of where you’re at security wise, but you need to realize that penetration tests are entirely subjective. The analysts may miss something, they might not be as much of an expert in one topic than another, etc. I’ve seen organizations use penetration testing as the end-all-measurement of their security. Bad move, don’t do this.
  • Application development security: Budgets are tight, organizations may use an automated tool or an expert code reviewer, but typically not both. Each has their pro and cons (false positives, false negatives, objectivity, etc.). Then you need to cover things like security coding best practices, threat modeling, other verification techniques. The article seems to focus on input validation which is but one of many things you need to worry about to get application development security right.
  • Security research: The article suggests that a bug bounty program is a good way to find out where you should prioritize your security efforts. That’s where hackers find vulnerabilities in your application report them to you and you reward them. OK, here’s the problem with this: as a researcher, I am not going to spend a single ounce of effort researching your product unless 1) the cash reward is significant or 2) the recognition reward is significant. Unless you’ve got serious deep pockets, your bug bounty program is probably going to get little to no attention. And so if you setup a bounty program and no one reports anything, that’s not an indicator of how you’re doing. The mistake I see organizations making is here because no one has reported anything they must be doing fine, when that’s probably not close to reality.

Not to leave you with the wrong impression of the above, these are great security activities to do, but I just wanted to share with you (as someone who is actually in these fields) the pitfalls and gotchas you run into if not done right. Thanks, and see you all next Friday.

–Kevin

About IronBox

IronBox specializes in Internet security, data protection and application security. Our team members are recognized security experts that have helped protect some of the industry’s highest value and most targeted data.

Delighting customers with premium data protection, prompt support and easy-to-use software services is our passion.

Contacts
PO Box 3274, Redmond, WA 98073
contactus@goironbox.com
RSS
© 2024 LockBox LLC dba IronBox. All rights reserved.