the worst security questionnaire questions

Probably the worst thing about business-to-business (B2B) security questionnaires is that you know 90% of them are being required, but never really reviewed. You can sort of answer anything, and as long as you have a “yes” or check mark of any sort, the reviewer isn’t smart enough to dig further. (Kinda like PCI QSAs!). Because of this situation where not-smart people are reviewing these answers, there are some questions I dread. Especially when someone gets a burr up their ass about better answering a question they don’t understand. I.e. achieving that checkbox!

So, what is your least favorite question to read on B2B security questionnaires?

For me, it is any question that involves DDoS protection. I work for an SMB. Our DDoS protection is pretty much hitting the low items. 1) We monitor bandwidth and servers and services to know when any are saturated or having resource issues. 2) We will work with our upstream ISP in the event we need their help in limiting inbound traffic to us. 3) Our standard for systems and processes is to provide for both high availability and disaster recovery/BCP. (In fact, we’re pretty nicely set up that way for an SMB of our size.) 4) As a bonus, we do have some capability to do some traffic threshold monitoring, shaping, and shunning with our firewall/IPS and web load balancer combo, but that is only after the traffic makes its way to us.

But if someone wants that answer to be better and more pro-active, you cause me to drink some more. Because what that really says is I should spend a good 100-250k on DDoS protection software (that won’t itself promise anything anyway) and a staff member to hold its hand, so that our checkmark in that DDoS box is a little more heavily outlined (and yet still not necessarily truthful). And even with that spend, there are multiple other places where a DDoS may occur. Wireless access on our campus. Email blasts. Legitimate traffic that exceeds what anyone planned for that fills our bandwidth/drops our firewalls/keels over web servers/overwhelms database servers/etc. Most of the time people who think about DDoS are just thinking about junk traffic filling up their Internet bandwidth, or maybe one step further and looking for known, singular resource-gouging attacks like a ping of death or SlowLoris or something. But, what about poorly written code in your custom application that bogs down resources that no tool is going to drop into place and automatically detect because, well, it’s custom code?

Anyway, coming in a close second to DDoS questions are Web App Firewall questions. Sure we have one, but is anyone actually making it useful to the custom apps it is protecting? Nope, not beyond the obvious like a 1000+ character URL (Apache issue from 10 years ago) or a GET for root.exe…