Jacob Kaplan-Moss

Hangar’s Dumb Security Questionnaire

I’ve posted Hangar’s Dumb Security Questionnaire over on our tech blog:

[S]ecurity teams often end up sending potential vendors a bunch of questions – what Latacora calls a Dumb Security Questionnaire. As the title implies, the practice … isn’t great. Most DSQs are full of questions with no security value (which explains why most security teams don’t actually read the responses!). But unfortunately, they’re also kinda the best we can do. Huge companies might be able to afford real human-powered security audits and convince vendors to allow them, but small startups like ours don’t have a better option than relying on DSQs.

As Latacora points out, it turns out there isn’t really a ton that you need to ask. As a startup, we’re not looking for our vendor to be Fort Knox; we just need to know that storing data with them is at least as safe as storing it internally. There are a limited number of likely ways that our vendor might get owned; we just need to ask about those few basic things. Latacora ends their post with this:

Someone — and I am not volunteering — should write the DSQ that just nails these basic things. 10 questions, no diagrams.

We tried; go check it out.