There’s truth to that, but it’s dangerous to consider it an acceptable amount of signal.

Ryan, I would be curious as to the scope of products you have been exposed to in the capacity of…

Jeffrey Radice

Ryan McGeehan

Dec 24, 2016·1 min read

There’s truth to that, but it’s dangerous to consider it an acceptable amount of signal. There’s a whole universe of ways to surface security debt far before a potential customer does that work on your behalf with a penetration test.
It’s valuable for a company to aggressively mitigate vendor risk in the way you describe, but it is a common warning sign when a vendor’s security story is “another customer audited us and we were OK”. That is a bad story.
A good story is when a vendor can describe how they surface debt systematically with employee, infra, and app security programs. This should exist before a potential customer has to *literally tell them* about their own debt.
So, while I think vendor penetration testing is a valuable practice for a customer — a vendor that solely relies on this form of signal for their security debt should be avoided. That signal comes far, far later than where our expectations should be, and a vendor should be able to represent more about their security than that. Otherwise, security start at sales, ugh.

Jeffrey Radice

Ryan McGeehan

Dec 24, 2016·1 min read

Ryan McGeehan

Writing about risk, security, and startups.

More from Ryan McGeehan

Writing about risk, security, and startups.

More From Medium

Quantifying your unknown risks.

Measuring “In the Wild” Exploitation

The next 50 years of cyber security.

Forecasting a headline risk: NetSpectre

Learning from cryptocurrency breaches

I Was Crushed When I Discovered I Was His “Third Tier” Girl

The GameStop Fiasco Proves We’re in a ‘Meme Stock’ Bubble

The 5 Habits That Will Help You Burn Fat Efficiently

About
Help
Legal

About

Help

Legal

Get the Medium app