Good security from the get-go beats adding it later
Just as a baseline, companies you buy software from should support secure authentication, applying modern techniques ranging from single-sign-on to multifactor authentication and ensuring they support phishing-resistant authentication. Most importantly, has the software vendor removed default passwords or are they in the process of eliminating their use in all of their product lines and communicating this process?
We have used software for years that has been subject to such vulnerabilities as SQL injection attacks, weak cryptography, and cross-site scripting (XSS) attacks, to name a few. Let’s push for good vendor communication around whether they’re working on removing specific types of defects from their software that allow these attacks.
In addition, review whether your vendors are planning to move to memory-safe languages. Vendors should move to programming languages such as Rust, Go, C#, Java, Swift, Python, and JavaScript. These languages prevent certain types of memory-access bugs and improve software security.
