Darn $service_provider they bunked it up again! Wait didn’t we do a vendor assessment on them…how the hell didn’t we find this? Go pay them a site visit and find out what’s going on!I chuckle to myself after listening to my CISO say this to me again. Another normal conversation right after an incident, but seriously why didn’t we find out that they only supported shared passwords? Or that they are outsourcing their security to a 4th party? Or that their offices in Pune have dogs in the hallways?Are vendor assessments a joke but nobody is laughing. This presentation will discuss my perspective on 3rd party assessments from sitting on “both sides of the table”.This presentation will discuss:- how 3rd party assessments go wrong - how to ask the right questions - how to maintain a security vendor relationship

Back to BSides Chicago 2014 video list