What You Need to Know the Next Time You Read Another “Healthcare Security” Article
Just read through this article called “Healthcare orgs fall short on software security” and had a couple thoughts to share. To start, I’ve been in penetration testing, application development security and research for over 15+ years now so I have a pretty close to the ground feel for these topics. The article recommends doing these, but I have some thoughts against these that might surprise you:
- Penetration testing: I think this is a good way to get a snapshot of where you’re at security wise, but you need to realize that penetration tests are entirely subjective. The analysts may miss something, they might not be as much of an expert in one topic than another, etc. I’ve seen organizations use penetration testing as the end-all-measurement of their security. Bad move, don’t do this.
- Application development security: Budgets are tight, organizations may use an automated tool or an expert code reviewer, but typically not both. Each has their pro and cons (false positives, false negatives, objectivity, etc.). Then you need to cover things like security coding best practices, threat modeling, other verification techniques. The article seems to focus on input validation which is but one of many things you need to worry about to get application development security right.
- Security research: The article suggests that a bug bounty program is a good way to find out where you should prioritize your security efforts. That’s where hackers find vulnerabilities in your application report them to you and you reward them. OK, here’s the problem with this: as a researcher, I am not going to spend a single ounce of effort researching your product unless 1) the cash reward is significant or 2) the recognition reward is significant. Unless you’ve got serious deep pockets, your bug bounty program is probably going to get little to no attention. And so if you setup a bounty program and no one reports anything, that’s not an indicator of how you’re doing. The mistake I see organizations making is here because no one has reported anything they must be doing fine, when that’s probably not close to reality.
Not to leave you with the wrong impression of the above, these are great security activities to do, but I just wanted to share with you (as someone who is actually in these fields) the pitfalls and gotchas you run into if not done right. Thanks, and see you all next Friday.