search

consumer-reports-innovation-lab / TheDigitalStandard

The Digital Standard is an ambitious, community-led effort to build a framework to test and rate products and services on the basis of privacy, security, and data practices.
Creative Commons Attribution 4.0 International
128 stars 46 forks source link

Data Security: Security oversight - an internal security team isn't necessarily require #18

Open fawkesley opened 7 years ago

fawkesley commented 7 years ago

The Security oversight section says:

The company has an internal security team that conducts security audits on the company's products and services.

I don't think having an internal security team is the only way - take debian linux or the openwrt project, for example, which have distributed community of people who respond to security threats.

I think the sentiment is great, but it excludes the open source community, or community-supported products.

includeyv commented 7 years ago

I think the fact that it excludes the open source community may have a purpose. It depends on what TheDigitalStandard is meant to be.

A product that is developed and maintained by a (big?) company in cooperation with a distributed community of people is rare. The current situation is mainly: There are companies / brands on one side. And open source & community supported products on the other side.

Open source & community supported efforts quite often prove that certain things are possible, and can be done in a better way, than (appearantly) in a company setting.

Example; A big company produces a topspec smartphone. And drops softwaresupport & maintenance after 2 years. A community of firmware builders goes on adding the support years after that, up to the current Android with all patches applied. Actually the community is doing the work, that the company should do.

The Openwrt project is something similar, but then for routers.

Anyhow, when TheDigitalStandard is meant to describe how companies should function in the classic way, then the used words in the Security oversight sections are "OK".

Otherwise, maybe the Security oversight section could be: "The company has [at least] an internal security team that conducts security audits on the company's products and services. Alternatively it has interaction with, or at least a policy for implementing security related input by, community supported development groups."

taliesan commented 7 years ago

Mudge, thoughts?

citl-s commented 7 years ago

We already have a separate indicator for the company conducting third party testing, but internal testing and auditing is valuable - in an ideal world, the company tests their product first, and then the outside audit is for finding things that they missed.

I agree that we should maybe change the wording to allow for cases where the company outsources security functions (both internal product & service testing and corporate/network security), rather than having an internal team - possibly replace "internal" with "dedicated".

It's important to note that this standard is comparative, not pass/fail - an organization that has a dedicated security team should get credit for that, so we want to have it be something we look for, but it doesn't mean that an organization without one cannot get a good score.

billfitzgerald commented 2 years ago

The core of this valid feedback could be incorporated by an indicator and procedure that trapped for an additional (or alternative) mechanism of security review, and transparency around that review process.

This is somewhat covered by (or related to) participation in bug bounties, although that doesn't address or include the initial example of an open source project with a distributed security team.