Rubber Or Glue, It Still Sticks…

This brings up a sort of interesting if not chilling thought in the world of security, particularly for large organizations:

Mozilla shuts online store after security breach

The title of this entry, which I’ve included verbatim, is important.

To me when I read it, I’m reading “Mozilla has a problem”, or “Mozilla isn’t secure”, or most painfully, “Mozilla is a place I want to avoid because of its lack of security.”

However Mozilla didn’t screw up and this is in fact no reflection on Mozilla’s security whatsoever. If you actually read the post, you’ll see:

The Mozilla Foundation has shuttered its e-commerce store after confirming a security breach at GatewayCDI, the third-party vendor that handles the store’s backend operations. [emphasis added]

Thus it isn’t Mozilla’s “fault” after all, it’s GatewayCDI’s.

So, what’s the point?

The point is, even though it isn’t Mozilla’s fault, the headline sure makes it sound like Mozilla’s fault, My guess is any large or influential organization will be reported similarly. That’s going to leave the first impression, which many people never get past (either because of human nature and/or not reading past the headline) that those organizations are insecure, rather than their arrant 3rd party resource.

Or to put it another way, if your company is using a 3rd party and feels all safe because things like PCI aren’t your concern, think again. Shuffling it off to a 3rd party doesn’t insulate you from the softer liability of public opinion. A liability that can turn out to be nearly as expensive as many of the more traditional ones, like getting sued.

So it’s incumbent on us as organizations and security teams to make sure our vendors are up to snuff. Signing agreements isn’t sufficient – some hands on, potentially including self conducted audits (if possible) may be required.

Most of all this brings into question assumption that moving to a 3rd party really provides you the insulation you might think it does. Choose carefully, are you may get nearly as burned if you had done it yourself.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *