I see a lot of RFPs. That’s a good thing in my business, and we are excited to respond to them and participate in the opportunity. While working on an RFP recently, I realized that there was a surprising lack of questions across the board about security and on SSO and Access Management. There were questions about what supported protocols, application integration, architectures, hardware recommendations, etc., but nothing focusing what the system does in action. For example, when a user logs in, and the company is then responsible for their session, how secure is that session?
Really, there is little point of doing a multi-factor authentication system that includes risk analysis, if once the user is authenticated a simple XSS or other attack can trick the browser into passing session cookies to an attacker, which the attacker can just replay.
I am surprised that I don’t see more questions about what the solution does to defeat these possible attacks including timeouts, http_only, cookie domain settings and various other settings to secure the session after authentication. I almost never see questions asking about alternative session schemes other than cookies. More “what if” or “how” questions could help improve the procurement process by adding more real-world data that would help separate “the men from the boys.”
I believe that we should all begin to focus on the security of our session management software in more detail. What do you think? Why does it appear we are no longer focused on the fundamentals of security and instead are too interested in playing buzzword bingo inside of a RFP? I have even come across instances where it was suggested that the best technique for timeout security was to make sure the device the user is using for authentication locks itself after a specific time (a response I find both laughable and scary at the same time.).
Without asking the question of session security in the procurement process, a key security capability in the solution could easily be missed.