Vulnerabilities, bugs, and system compromise seem to be happening all around us.  Earlier this morning, news about CCleaner’s compromise seemed to be at the top of every tech news feed.  Instead of talking specifically about CCleaner (which has been done to death), I want to talk about whether or not a breach should immediately disqualify a tech company.  In my experience, there are 3 types of software:

1. Software that has been compromised
2. Software that will be compromised
3. Software where the compromise was covered up

I don’t care if you are the best in your field; you have made mistakes in your work at some point (or you haven’t worked in it long enough).  If I’m wrong and you have never made a mistake, please let me know; I would love to talk and learn your secret.  While mistakes will happen, I would argue that what happens next is what should speak volumes – not the mistake itself.  My criteria for considering the security of a software or service is as follows:

• How frequently actual breaches have occurred (not just vulnerabilities which are patched before being made public).
• How open are they about vulnerabilities/breaches?  (Do they try to cover them up, or do they own up to them?)
• How quickly are the vulnerabilities/breaches fixed once they are discovered?
• How often are vulnerabilities/breaches found by internal teams (their own QA or audit team) vs external sources (outside security researchers, crackers, etc)?
• When dealing with the aftermath of the vulnerability/breach, how detailed is the analysis?  (This can speak to the team’s technical competency for handling remediation and stopping similar vulnerabilities in the future)

At the end of the day, once a breach has happened, heads will roll.  Lessons will be learned, and it is unlikely that the same mistake will happen twice.

So… to answer my first question, no.  Past compromise does not disqualify a service or software in my book.  Depending on how the compromise was handled once it was discovered, it may actually make me more likely to use their products.  After all, if a software company or service tells you that they have never been compromised or had any vulnerabilities, it just means they haven’t found them yet or they tried to cover them up.  (And whatever you do, don’t try to claim that you “have [your] own security system, and it has never been breached in more than 15 years” as evidence that your service is more secure than industry standards.)