Software vendors shouldn’t charge extra for security

Software vendors shouldn’t hide important security features like single sign-on (SSO) behind a premium paywall, security experts have warned.

For years, Rob Chahin, billed on LinkedIn as the Director of Security Assurance at Amazon’s streaming platform Twitch, has been running a site naming and shaming companies that charge extra for SSO – a piece of technology that lets companies manage user accounts via a third party like Microsoft, Google, or Okta.

“For organisations with more than a handful of employees, this feature is critical for IT and security teams to be able to effectively manage user accounts across dozens or hundreds of vendors, many of which don’t support features like TOTP [time-based one-time password] 2FA [two-factor authentication] or U2F [universal second factor],” Chahin said on his site.

Despite being a must-have for most companies, Chahin laments, software vendors tend to stick SSO behind their ‘Enterprise’ pricing tier – charging a premium for what he calls “a core security requirement for any company with more than five employees”.

Louay Ghashash, director of Melbourne-based firm Spartans Security and chair of the ACS Cyber Security Committee, told Information Age he is puzzled as to why features like SSO get priced up.

“It puts them in a worse position,” he said. “They’re now at the mercy of clients' password complexity when they could make it easier to bring on identity verification and make that someone else’s responsibility.

“It doesn’t cost the vendors anything, it makes everyone’s security better – why not include this as a basic-tier offering?”

One of the biggest offenders on Chahin’s list is marketing platform Hubspot which puts SSO behind its $5,200 per month enterprise tier – a cost of four times its ‘professional’ licenses that come in at $1,150, and 260 times its basic $20 per month plan.

Hubspot did not respond to Information Age’s request for comment. Neither did Atlassian which has carved out a dedicated pricing tier called ‘Atlassian Access’ behind which sits a suite of identity management tools like SSO and enforced 2FA.

Coding collaboration platform GitHub puts SSO behind its US$21 per user per month enterprise tier, leaving smaller organisations paying $4 per user per month for better control of their repositories without core security features.

In a statement to Information Age, a GitHub spokesperson failed to explain why it hides SSO behind the premium tier but did talk up the company's “long history of protecting developer accounts” that includes mandating all contributors on the platform enable 2FA on their accounts by the end of this year.

The government has been encouraged to “consider options to promote secure by design principles in all products, including software, rather than as an ‘optional extra’” as part of consultation on a cyber security strategy discussion paper, a Department of Home Affairs spokesperson told Information Age.

“Stakeholders have also recommended distributing responsibility for cyber security more equitably across the supply chain and building partnerships to support small businesses,” the spokesperson said.