We all know how important operational security (OpSec) is within our own organizations and professional lives, but how many of us think about the OpSec of the vendors we work with? In my own experience working with companies of all sizes, this is one of the first things that I look at whenever I am trying to assess the overall security posture of a company. If they’re sloppy with the small, easy-to-catch details, they’re probably missing a whole lot more. The reality is, that sloppy OpSec can put the value of any security solution at risk, and potentially undermines the investment that has been made.
We take our operational security very seriously to ensure that we’re not making any rookie mistakes that could adversely impact any of our customers. As such, we naturally look to our peers and competitors and in doing so, discovered that while some are tidy, many are not. Here’s what we found with some suggestions on how to avoid these pitfalls at your organization.
Why does my security vendor's OpSec matter?
In security, it is important to keep any and all information that may be potentially beneficial out of the hands of our adversaries. This can include everything from the backend infrastructure / software that may be running on the backend, to the security solutions protecting these applications. The more an attacker knows, the easier it is for them to build out a successful attack. Therefore we want to work as hard as possible to prevent someone from taking even a small step.
What happens when OpSec is overlooked?
To really understand the impact of an OpSec oversight, let’s take look at a real-world example of an organization providing website security services which may not be following best practices. For the sake of anonymity, we’ll call this company “Anti Bot Website Protection Inc.” In this scenario, we’re going to pretend that we’re attackers attempting to perform a distributed credit card washing attack, to resell valid credit cards on the ‘dark web.’
The first thing we’ll attempt to do is to understand the security infrastructure sitting around the payment gateway so that we know what we’re up against.

