If you’re going to store sensitive documents as a would-be major transaction / document management system vendor, you need to keep your servers patched.
- Running on the Apache/2.2.15 web server is not acceptable. Major vulnerabilities are listed here. Servers should be patched to 2.4.7 – not patching the web servers since early 2010 is NOT professional.
- Using PHP/5.3.14 as a platform is also not acceptable. Major vulnerabilities are listed here. It’s long past time to upgrade to version 5.5.6. Not patching your platform since mid-2012 is NOT professional.
You’re lucky I’m not calling you out by name. But when I help with a selection process you are off the list.
The question is, how do we get application vendors to take reasonable steps to improve information security in our industry? There are some that are great when it comes to security – but many can’t seem to be relied upon to do the basics, like staying up to date with patches, let alone take their info security to the next level and implement reasonable best practices.
Brokers and agents don’t generally know enough to keep tabs on their vendors and even when they do they lack leverage with them. I only find issues with vendors for my MLS/Association, franchise or broker clients when they invite me to perform a security audit – certainly not a comprehensive and timely approach, and even then vendors are sometimes resistant when those clients try to get them to take better care of the data. One major association management system vendor has left a most horrible security flaw in place more than a year after one of their biggest customers (one of my clients) gave them notice of the issue.
I’ve tried to get my clients to include information security as part of their selection criteria and add better security related language in contracts, and it has had a positive result, at least anecdotally … but issues like the one pointed out above are all too prevalent. Thankfully many organizations in our industry use my skills as part of their technology selection, but I’m not hired by everyone and I can’t be everywhere!
What can we do about this, as an industry? I’ve got a few more ideas in the hopper, but I’d like to see what the community says.
Share this post: