Jay Heiser

A member of the Gartner Blog Network

Jay Heiser
Research VP
6 years at Gartner
24 years IT industry

Jay Heiser is a research vice president specializing in the areas of IT risk management and compliance, security policy and organization, forensics, and investigation. Current research areas include cloud and SaaS computing risk and control, technologies and processes for the secure sharing of data… Read Full Bio

Coverage Areas:

Definition: Service Provider Security Evaluation

by Jay Heiser  |  August 10, 2012  |  2 Comments

The process in which the buyer asks a random list of questions that might have some minor relevance to some aspect of a provider’s security posture, and the potential provider pretends to answer them.

2 Comments »

Category: Cloud risk management security     Tags: , , ,

2 responses so far ↓

  • 1 Craig Heath   August 14, 2012 at 5:42 am

    Very good :-)

    What do you think of vBSIMM as a means to ask less random questions?

    http://www.informit.com/articles/article.aspx?p=1832574

  • 2 Jay Heiser   August 14, 2012 at 8:38 am

    I don’t know of anything else like vBSIMM. Conceptually, it makes a lot of sense, and Cigital clearly has huge amounts of experience and expertise in the area of software security quality management.

    Typical security evaluations tend to dwell on ops–because that’s easy. You can send some auditor fresh out of university into a data centre, armed only with a checklist, and they can reliably tell you whether admins are rotating their passwords, and whether vendor patches are being applied. So what good is that? For relatively simple environments running on well-understood operating environments, it is, as Sammy might say, ‘pretty not bad.’ If the security quality of the code cannot be assumed, then an audit of operational processes is likely to provide a misleadingly positive result.

    Its no wonder that the world avoids attempts to evaluate software security quality. How long did it used to take the NSA before it was willing to ‘trust’ an OS? Long enough that all the test platforms were obsolete hardware. That degree of code evaluation turned out to be totally impractical.

    Process quality is exponentially easier to measure than output quality, so I think its the right approach. I’d love to see this kind of testing applied to some of the major SaaS providers. One of the huge challenges of ‘cloud computing security assessment’ is accomodating the dynamic nature of many of the service providers. They are swapping code in & out on a constant basis. A mechanism that evaluates the quality of code creation and testing would theoretically scale to cloud speeds. Would it be a useful level of assurance?

    What do you think?