I was reading the security page for another new product today and it struck my how amazingly disappointed I am that we’re still at the stage that the best companies can say about their security is “Trust us we hold all your data securely, and we use military grade SSL” or words to that effect.
Not to say that SSL isn’t a good way of protecting data in transit, but this is the equivalent of someone building a bank and saying “trust us, this is secure, we use the same rivets as they do in battleships”.
It’s ridiculous to expect users to be able to make an informed decision about security with the amount of data provided.
So what would be a better option? Well if you’re developing a product how about putting some information about the Security steps in your development process (you do have those right?).
- We provide all our developers with secure development training (for optional bonus, here’s the areas we covered and how we assessed our developers awareness of security topics)
- All our products have threat modelling and security architecture reviews (for optional bonus, here’s the output of our threat model and what controls we put in place)
- We have external consultants complete a security focused code review before release (for optional bonus, here’s the report and what we did to address the findings)
- We complete security testing on all our products (for optional bonus here’s the report and what we did to address the findings)
now this is far from a comprehensive list and doesn’t address the problem of how to ensure it’s all true, but surely it’s better than just SSL!