🍎 Hack23 Discordian Cybersecurity Blog

1️⃣ Posture Sécurité

Ce que cela signifie : Quelle sécurité a infrastructure fournisseur, pratiques développement et sécurité opérationnelle ?

Quoi vérifier :

• Certifications : SOC 2 Type II (pas Type I !), ISO 27001, PCI DSS si traite paiements
• Tests Pénétration : Quand dernier test ? Qui l'a effectué ? Pouvez-vous voir résultats ?
• Gestion Vulnérabilités : Vitesse correctifs ? Temps réponse CVE ? Politique divulgation publique ?
• Historique Incidents : Ont-ils été violés ? Comment ont-ils répondu ? Ont-ils notifié clients ?
• Équipe Sécurité : En ont-ils une ? CISO ? Ingénierie sécurité ? Ou "géré par IT" ?

Vérification réalité : "SOC 2 conforme" sans voir rapport ne signifie rien. Audit Type I est théâtre ponctuel. Type II est un an preuves. Demandez rapport. Lisez exceptions. Faites confiance, mais vérifiez. En fait, sautez partie confiance. Juste vérifiez.

2️⃣ Traitement Données

Ce que cela signifie : Quelles données fournisseur accède, traite ou stocke ? Où ? Pour combien temps ?

Quoi vérifier :

• Localisation Données : Où données stockées ? UE ? US ? Multi-région ? Pouvez-vous choisir ?
• Rétention Données : Combien temps gardent-ils ? Pouvez-vous supprimer ? Rétention sauvegardes ?
• Accord Traitement Données (DPA) : Conforme RGPD ? Droits audit ? Liste sous-traitants ?
• Chiffrement : Au repos ? En transit ? Gestion clés ? Qui contrôle clés ?
• Contrôles Accès : Qui peut accéder vos données ? MFA requis ? Journaux audit disponibles ?

Vérification réalité : Niveau gratuit SaaS a zéro garanties sécurité. "Conditions Service" ≠ Accord Traitement Données. "Chiffré" sans contrôle clés signifie ils peuvent tout lire. RGPD n'est pas optionnel dans UE. DPA n'est pas agréable à avoir. C'est obligatoire.

3️⃣ Continuité Activité

Ce que cela signifie : Que se passe-t-il quand (pas si) fournisseur a panne, violation ou fait faillite ?

Quoi vérifier :

• SLA : Qu'est-ce garanti ? Pourcentage disponibilité ? Temps réponse ? Pénalités financières ?
• RTO (Objectif Temps Récupération) : Vitesse restauration service ? Heures ? Jours ?
• RPO (Objectif Point Récupération) : Combien perte données acceptable ? Temps réel ? Sauvegardes quotidiennes ?
• Stratégie Sauvegarde : Font-ils sauvegardes ? Où ? Fréquence ? Pouvez-vous restaurer ?
• Stratégie Sortie : Pouvez-vous exporter vos données ? Quel format ? Combien temps migration ?

Vérification réalité : SLA "meilleur effort" = pas SLA. Architecture multi-région semble géniale jusqu'à défaillance deux régions (oui, ça arrive). Coûts changement et temps changement déterminent degré piège. Verrouillage fournisseur est risque stratégique déguisé commodité.

4️⃣ Conformité

Ce que cela signifie : Fournisseur répond-il exigences réglementaires votre industrie et géographie ?

Quoi vérifier :

• RGPD : Si UE ou servez clients UE, non négociable. DPA requis.
• ISO 27001 : Certification système gestion sécurité information. Réel, pas marketing.
• Spécifique Industrie : PCI DSS (paiements), HIPAA (santé), FedRAMP (gouvernement US)
• Exigences Régionales : Lois résidence données, exigences souveraineté, réglementations locales
• Droits Audit : Pouvez-vous les auditer ? Envoyer évaluateurs ? Revoir preuves conformité ?

Vérification réalité : Badges "conformité" sur site web ≠ conformité réelle. Demandez rapports. Vérifiez dates expiration. Vérifiez portée. Théâtre conformité est théâtre coûteux qui n'empêche pas violations.

5️⃣ Stabilité Financière

Ce que cela signifie : Fournisseur existera-t-il année prochaine ? Peuvent-ils investir sécurité ?

Quoi vérifier :

• Âge Entreprise : Startup ? Établie ? Acquise ? Risque faillite ?
• Financement : Taux combustion capital-risque ? Rentable ? Croissance revenus ?
• Position Marché : Leader ? Challenger ? Acteur niche ? Produit mourant ?
• Base Clients : Nombreux petits clients ? Peu grands ? Un gros client = risque
• Qualité Support : Réactif ? 24/7 ? Forum communauté seulement ? Paiement incident ?

Vérification réalité : Services gratuits sont fermés. Startups non rentables sont acquises et tuées. Leaders marché deviennent complaisants. Problèmes financiers fournisseur mission-critique deviennent vos problèmes opérationnels. Diversification pas juste investissements. C'est pour fournisseurs aussi.

🔴 AWS: Mission Critical Infrastructure

Classification: Tier 1 Mission Critical (Extreme confidentiality, Critical integrity, Mission Critical availability)

Reality:

• Security Posture: ✅ ISO 27001, SOC 2 Type II, PCI DSS, FedRAMP High. Multi-region DR.
• Data Processing: ⚠️ US-based company, EU data residency available, encryption at rest/transit, customer-managed keys possible
• Business Continuity: 99.99% SLA, <5 min RTO, <1 min RPO, 24/7 support
• Compliance: ✅ GDPR compliant, extensive compliance program, audit rights
• Financial Stability: ✅ Market leader (33% market share), Amazon-backed, profitable

Risk Assessment: Very high vendor lock-in. Proprietary services create switching costs. Multi-region architecture mitigates outage risk. Shared responsibility model means AWS secures infrastructure, you secure everything else.

Porter's Five Forces: Extreme supplier power. High entry barriers. Minimal substitute threat. Dominant rivalry advantage. Translation: They own you. Plan accordingly.

🟠 GitHub: Code Repository & CI/CD

Classification: Tier 2 Business Essential (Very High confidentiality, Critical integrity, High availability)

Reality:

• Security Posture: ✅ SOC 2 Type II, ISO 27001, SLSA Level 3, Advanced Security features, secret scanning
• Data Processing: ⚠️ US-based (Microsoft), code stored globally, audit logs available, DPA signed
• Business Continuity: 99.9% SLA, 5-60 min RTO, business hours support
• Compliance: ✅ GDPR compliant, SOC 2 annually, comprehensive security program
• Financial Stability: ✅ Microsoft-owned, 90% market share, enterprise-focused

Risk Assessment: High lock-in due to GitHub Actions, Copilot, Advanced Security integration. GitLab alternative exists. Local backups mitigate risk. Repository compromise = intellectual property theft = game over.

Real Talk: One leaked Personal Access Token = full repo access. One compromised Actions runner = supply chain attack vector. One weak 2FA = credential stuffing target. Secure your GitHub like it's your production database. Because it is.

🟠 SEB: Corporate Banking

Classification: Tier 2 Business Essential (Very High confidentiality, Critical integrity, High availability)

Reality:

• Security Posture: ✅ Swedish FSA regulated, PSD2 compliant, SWIFT network member
• Data Processing: ✅ Sweden-based, Swedish data residency, GDPR native compliance
• Business Continuity: 99.5% SLA, 1-4 hour RTO, 24/7 emergency support
• Compliance: ✅ FSA oversight, AML/KYC verified, strong customer authentication
• Financial Stability: ✅ Major Swedish bank, centuries-old, systemically important financial institution

Risk Assessment: Swedish oligopoly limits alternatives. High switching costs (payroll, integrations). Regulatory requirements create lock-in. Banking security is regulated security. Trust, but verify. Actually, just verify.

Supply Chain Insight: Bank breach = financial data exposure = customer notification requirement = reputational damage = regulatory investigation. Financial services suppliers need highest security scrutiny.

🟡 Security Tooling: FOSSA, SonarSource, StepSecurity

Classification: Tier 3 Operational Support (Moderate confidentiality, Moderate integrity, Standard availability)

Reality:

• Security Posture: ✅ SOC 2 Type II (SonarSource, FOSSA), GitHub-native security (StepSecurity)
• Data Processing: ⚠️ Code analysis data processed, limited retention, free tier for OSS
• Business Continuity: ⚠️ Best effort SLA, community support, easy alternatives exist
• Compliance: ⚠️ GDPR-aware, limited audit rights, standard terms
• Financial Stability: ✅ Established players (SonarSource, FOSSA), emerging (StepSecurity)

Risk Assessment: Very low lock-in. Multiple alternatives available. Free tier for public repositories. Easy switching. Security tools for security. Meta-security assessment required.

Supply Chain Paradox: Using security tools creates dependency on their security. OpenSSF Scorecard, Dependabot, FOSSA, SonarSource—all assess our dependencies while becoming our dependencies. Recursive supply chain risk. Welcome to Chapel Perilous.

1️⃣ Compromised Software Updates

Attack: Inject malware into legitimate software update mechanism

Example: SolarWinds Orion backdoor, CCleaner supply chain attack, ASUS Live Update backdoor

Why it works: Users trust automatic updates. Vendors have signing keys. Detection is delayed.

Defense: Code signing verification, update transparency logs, staged rollouts, anomaly detection

2️⃣ Dependency Confusion

Attack: Upload malicious package with same name to public registry, higher version number

Example: PyPI typosquatting, npm dependency confusion, internal package names leaked

Why it works: Package managers check public repositories first. Developers copy-paste code. Typos happen.

Defense: Private package repositories, namespace protection, dependency pinning, SBOM generation

3️⃣ Compromised Build Pipeline

Attack: Inject malicious code during CI/CD build process before signing

Example: CodeCov supply chain attack, GitHub Actions exploitation, compromised build agents

Why it works: Build systems have elevated privileges. Artifacts are trusted. Detection is pre-production.

Defense: SLSA compliance, reproducible builds, build attestation, StepSecurity hardening

4️⃣ Vendor Breach Lateral Movement

Attack: Breach vendor, pivot to their customers through shared infrastructure or credentials

Example: Target HVAC breach, Kaseya ransomware, MOVEit file transfer exploitation

Why it works: Vendors have customer access. Shared credentials exist. Trust relationships enable pivoting.

Defense: Network segmentation, credential isolation, zero trust architecture, least privilege

5️⃣ Transitive Dependency Vulnerabilities

Attack: Exploit vulnerability in dependency of dependency (transitive dependency)

Example: Log4Shell in log4j-core, Heartbleed in OpenSSL, Struts vulnerabilities

Why it works: Transitive dependencies are invisible. Updates are delayed. Impact is widespread.

Defense: Dependency scanning, SBOM generation, automated updates, vulnerability monitoring

✅ Continuous Monitoring

Track security posture over time, not point-in-time snapshot. Status pages, breach notifications, security advisories, community intelligence.

Hack23 approach: Tier 1 suppliers = quarterly review, Tier 2 = monthly check, Tier 3 = automated monitoring. Documented in SUPPLIER.md.

✅ Evidence-Based Assessment

Don't accept claims. Request reports. SOC 2 Type II (full report, not summary). Penetration test results. Vulnerability scan data. Incident response procedures.

Hack23 approach: Tier 1 suppliers provide annual reports. Tier 2 provide security questionnaires with evidence. No exceptions.

✅ Risk-Based Prioritization

Not all suppliers are equal. Critical suppliers get deep assessment. Supporting services get basic review. Match effort to risk.

Hack23 approach: 4-tier classification (€10K+ = Tier 1 Critical). Porter's Five Forces analysis reveals vendor power. CIA+ classification reveals data risk.

✅ Contractual Controls

Put requirements in contracts, not questionnaires. DPA for GDPR. SLA with penalties. Breach notification timeframe. Audit rights. Exit procedures.

Hack23 approach: Tier 1 = 24-hour breach notification, annual audit rights. Tier 2 = 48-hour notification, DPA required. All documented.

🔍 Automated Monitoring

What to monitor:

• Service Status: Subscribe to status pages. AWS status, GitHub status, all critical suppliers.
• Security Advisories: CVE notifications, security bulletins, vendor security blogs
• Breach News: Google Alerts for "[Vendor] breach", security news aggregators, community intelligence
• Compliance Status: Certificate expiration dates, SOC 2 report dates, ISO recertification timelines
• Financial Health: Funding announcements, layoff news, acquisition rumors, market position

Hack23 implementation: Automated monitoring for all Tier 1-3 suppliers. Status page webhooks. Security advisory RSS feeds. Quarterly manual review.

📊 Tier-Based Oversight

Frequency matches risk:

• Tier 1 (Mission Critical): Quarterly executive review, annual Porter's Five Forces reassessment, continuous automated monitoring
• Tier 2 (Business Essential): Monthly management review, semi-annual security validation, documented risk tracking
• Tier 3 (Operational Support): Quarterly operational check, annual security assessment, standard monitoring
• Tier 4 (Supporting Services): Annual review, automated tracking, incident-triggered assessment

Escalation triggers: Security incidents, compliance failures, service degradation, contract breaches, strategic changes

🚨 Incident Response Integration

Vendor breach = your incident:

• Detection: Supplier notification, security advisory, monitoring alert, community intelligence
• Classification: Tier 1 supplier breach = automatic critical incident (€10K+ potential impact)
• Response SLA: <30 minutes for critical supplier incidents, CEO escalation, stakeholder communication
• Coordination: Joint response with supplier, data impact assessment, customer notification per DPA

Contractual requirement: Tier 1 suppliers must notify within 24 hours. Tier 2 within 48 hours. Incident coordination procedures documented.

📈 Metrics & Reporting

What to track:

• Supplier Count by Tier: How many critical suppliers? Concentration risk?
• Assessment Currency: When was last review? Overdue assessments?
• Incident Frequency: Which suppliers have incidents? Pattern recognition?
• Switching Costs: How trapped are we? Exit strategy viable?
• Compliance Coverage: How many suppliers have DPAs? SOC 2 reports? Audit rights?

Hack23 transparency: All metrics documented in SUPPLIER.md. Quarterly Board reporting. CEO oversight for Tier 1.

🎪 "We're SOC 2 Compliant"

Theater: SOC 2 badge on website. No report provided. "Trust us, we passed."

Reality: SOC 2 Type I = point-in-time audit (useless). Type II = one year evidence (useful). Report contains exceptions (what they failed at).

What to ask: "Can I see the Type II report? What's the observation period? Any exceptions? When's next audit?"

If they won't share the report, they probably have bad exceptions or it's Type I theater.

🎪 "We Take Security Seriously"

Theater: Vague security page. Generic claims. "Best practices" without specifics.

Reality: Every vendor claims this. Nobody defines "seriously." Marketing speak, not security evidence.

What to ask: "Who's your CISO? When was last pentest? What's your vulnerability SLA? Show me your incident response plan."

Serious about security = named security team + public security policy + transparent vulnerability management.

🎪 "Bank-Level Encryption"

Theater: "Military-grade" or "bank-level" encryption. Sounds impressive. Means nothing.

Reality: AES-256 is AES-256. "Military-grade" isn't a standard. "Bank-level" is marketing. Encryption without key management is theater.

What to ask: "What algorithm? What key size? Who manages keys? Where are keys stored? Can you decrypt my data?"

If they control the keys, they can decrypt everything. If they can decrypt, so can governments and hackers who breach them.

🎪 "99.9% Uptime Guarantee"

Theater: High percentage sounds great. No SLA penalty. "Guarantee" without teeth.

Reality: 99.9% = 8.76 hours downtime per year. 99.99% = 52 minutes. "Guarantee" without financial penalty = marketing.

What to ask: "What's the financial penalty for SLA breach? How do you measure uptime? What's excluded from SLA?"

SLA without penalty = no SLA. "Planned maintenance" excluded from uptime = creative accounting.

🎪 "GDPR Compliant"

Theater: "We follow GDPR" without Data Processing Agreement. Cookie banner = compliance.

Reality: GDPR compliance requires DPA for processors. Right to deletion. Data portability. Breach notification within 72 hours.

What to ask: "Can I see your DPA? Where's data stored? How do I export my data? What's your breach notification process?"

GDPR isn't optional in EU. DPA isn't a nice-to-have. Vendor non-compliance = your compliance problem.

🎪 "Trusted by Fortune 500"

Theater: Customer logos on homepage. Implies security. Proves nothing.

Reality: Enterprise customers can get breached too. Target was Fortune 500. Equifax was Fortune 500. SolarWinds served Fortune 500.

What to ask: "What enterprise security features exist? Different SLAs for enterprise? Enhanced support? Dedicated security reviews?"

Big customers ≠ secure vendor. Big customers = bigger target for attackers. Logo wall = marketing, not security evidence.