Before you give a software vendor access to your systems, your client data, or your employees' personal information โ€” you need to know whether their security is actually up to scratch. Most small businesses don't check. They look at the website, read a few reviews, and sign the contract.

This checklist covers the security checks you should run on any software vendor before signing. Each check is free to run manually and takes between 1 and 10 minutes.

Why security checks matter for your business: Under the Australian Privacy Act, your business is responsible for how personal information is handled by your vendors. A vendor breach is not just their problem โ€” it's yours too, with Notifiable Data Breach obligations that can require you to notify affected customers and the OAIC.

Check 1 โ€” SSL certificate (HTTPS)

The SSL certificate is the padlock in your browser. It establishes that the connection between your browser and the vendor's server is encrypted. But not all SSL implementations are equal โ€” old configurations using outdated protocols (TLS 1.0, TLS 1.1) or weak cipher suites are still common.

How to check: Go to ssllabs.com/ssltest and enter the vendor's domain.

Check 2 โ€” HTTP security headers

Security headers are instructions a web server sends to your browser to prevent common attacks like clickjacking, cross-site scripting, and protocol downgrade attacks. Their presence indicates a security-conscious development team. Their absence indicates the opposite.

How to check: Go to securityheaders.com and enter the vendor's domain. You want to see at minimum:

Check 3 โ€” Email security (SPF, DKIM, DMARC)

These three DNS records control whether fraudsters can send emails that appear to come from the vendor's domain. A vendor without DMARC can have their domain spoofed โ€” meaning you or your clients could receive convincing phishing emails that appear to be from "support@[vendor].com".

How to check: Go to mxtoolbox.com and search the vendor's domain.

Check 4 โ€” Data breach history

Has the vendor's domain appeared in a known data breach? This check searches the HaveIBeenPwned database, which tracks publicly disclosed breaches affecting millions of accounts.

How to check: Go to haveibeenpwned.com/DomainSearch and search the vendor's domain.

A result here doesn't automatically disqualify a vendor. What matters is how they handled it. Ask for their incident report and confirm what remediation steps were taken.

Check 5 โ€” Independent security certifications

Does the vendor hold any of the following?

CertificationWhat it meansHow to verify
ISO 27001International information security management standardAsk for certificate with issuing body and validity dates
SOC 2 Type IIIndependent audit of security, availability, and confidentiality controlsAsk for report (under NDA if needed)
Essential EightAustralian Cyber Security Centre framework for cyber resilienceAsk for self-assessment or independent verification
IRAPAustralian government information security assessmentCheck ASD IRAP register

Note: most small and medium-sized software vendors will not hold any of these certifications. Their absence doesn't mean the vendor is insecure โ€” but their presence is a strong positive signal. And a vendor that holds no certifications should be asked more questions, not fewer.

Check 6 โ€” Information leakage in server headers

Some vendors expose their technology stack in HTTP response headers โ€” "Powered by PHP 5.4" or "Server: Apache/2.2" tells attackers which known vulnerabilities to target. This is a minor finding but it indicates whether the vendor's security team is paying attention to details.

How to check: Open Chrome DevTools (F12), go to the Network tab, load the vendor's homepage, click the first request, and look at the Response Headers. X-Powered-By or Server headers revealing specific technology versions are sub-optimal.

The security check scorecard

CheckPass conditionFail conditionWeight
SSL certificateGrade A or A+Grade C or belowHigh
Security headers4+ of 5 key headersMissing most headersMedium
Email securitySPF + DMARC rejectNo DMARC, policy=noneHigh
Breach historyNo breaches foundRecent undisclosed breachHigh
CertificationsISO 27001 or SOC 2None foundLow-medium
Server headersNo technology disclosureSpecific versions exposedLow

Run all 13 checks automatically

Stop doing this manually. Validios runs 13 live background checks on any vendor in 60 seconds โ€” sanctions, breaches, ABN, SSL, email security and more. Free to view. $19.99 for the full audit-ready PDF report.

Check a vendor free โ†’

Free to view ยท $19.99 for the full report ยท No subscription

What to do with your findings

If a vendor fails multiple high-weight checks, raise them directly before signing. A reputable vendor will acknowledge the findings and either explain existing mitigations or commit to remediation on a specific timeline.

A vendor that dismisses security concerns or can't explain their security posture is telling you something important about how they'll handle your data.

Aligned with Australian Essential Eight: The Australian Cyber Security Centre's Essential Eight framework specifically includes patch management and application control as mitigation strategies. Running vendor security checks before onboarding is directly aligned with Essential Eight Maturity Level 2 requirements for organisations that outsource to third-party providers.