Before you give a software vendor access to your systems, your client data, or your employees' personal information โ you need to know whether their security is actually up to scratch. Most small businesses don't check. They look at the website, read a few reviews, and sign the contract.
This checklist covers the security checks you should run on any software vendor before signing. Each check is free to run manually and takes between 1 and 10 minutes.
Why security checks matter for your business: Under the Australian Privacy Act, your business is responsible for how personal information is handled by your vendors. A vendor breach is not just their problem โ it's yours too, with Notifiable Data Breach obligations that can require you to notify affected customers and the OAIC.
Check 1 โ SSL certificate (HTTPS)
The SSL certificate is the padlock in your browser. It establishes that the connection between your browser and the vendor's server is encrypted. But not all SSL implementations are equal โ old configurations using outdated protocols (TLS 1.0, TLS 1.1) or weak cipher suites are still common.
How to check: Go to ssllabs.com/ssltest and enter the vendor's domain.
- Grade A/A+ โ strong configuration, well maintained
- Grade B โ acceptable but some outdated settings
- Grade C or below โ outdated TLS, ask vendor to explain and remediate before signing
Check 2 โ HTTP security headers
Security headers are instructions a web server sends to your browser to prevent common attacks like clickjacking, cross-site scripting, and protocol downgrade attacks. Their presence indicates a security-conscious development team. Their absence indicates the opposite.
How to check: Go to securityheaders.com and enter the vendor's domain. You want to see at minimum:
- Strict-Transport-Security (HSTS)
- Content-Security-Policy
- X-Content-Type-Options
- X-Frame-Options
Check 3 โ Email security (SPF, DKIM, DMARC)
These three DNS records control whether fraudsters can send emails that appear to come from the vendor's domain. A vendor without DMARC can have their domain spoofed โ meaning you or your clients could receive convincing phishing emails that appear to be from "support@[vendor].com".
How to check: Go to mxtoolbox.com and search the vendor's domain.
- DMARC policy = reject โ strong. Unauthenticated emails are rejected.
- DMARC policy = quarantine โ moderate. Suspicious emails go to spam.
- No DMARC or DMARC = none โ weak. Domain can be spoofed freely.
Check 4 โ Data breach history
Has the vendor's domain appeared in a known data breach? This check searches the HaveIBeenPwned database, which tracks publicly disclosed breaches affecting millions of accounts.
How to check: Go to haveibeenpwned.com/DomainSearch and search the vendor's domain.
A result here doesn't automatically disqualify a vendor. What matters is how they handled it. Ask for their incident report and confirm what remediation steps were taken.
Check 5 โ Independent security certifications
Does the vendor hold any of the following?
| Certification | What it means | How to verify |
|---|---|---|
| ISO 27001 | International information security management standard | Ask for certificate with issuing body and validity dates |
| SOC 2 Type II | Independent audit of security, availability, and confidentiality controls | Ask for report (under NDA if needed) |
| Essential Eight | Australian Cyber Security Centre framework for cyber resilience | Ask for self-assessment or independent verification |
| IRAP | Australian government information security assessment | Check ASD IRAP register |
Note: most small and medium-sized software vendors will not hold any of these certifications. Their absence doesn't mean the vendor is insecure โ but their presence is a strong positive signal. And a vendor that holds no certifications should be asked more questions, not fewer.
Check 6 โ Information leakage in server headers
Some vendors expose their technology stack in HTTP response headers โ "Powered by PHP 5.4" or "Server: Apache/2.2" tells attackers which known vulnerabilities to target. This is a minor finding but it indicates whether the vendor's security team is paying attention to details.
How to check: Open Chrome DevTools (F12), go to the Network tab, load the vendor's homepage, click the first request, and look at the Response Headers. X-Powered-By or Server headers revealing specific technology versions are sub-optimal.
The security check scorecard
| Check | Pass condition | Fail condition | Weight |
|---|---|---|---|
| SSL certificate | Grade A or A+ | Grade C or below | High |
| Security headers | 4+ of 5 key headers | Missing most headers | Medium |
| Email security | SPF + DMARC reject | No DMARC, policy=none | High |
| Breach history | No breaches found | Recent undisclosed breach | High |
| Certifications | ISO 27001 or SOC 2 | None found | Low-medium |
| Server headers | No technology disclosure | Specific versions exposed | Low |
Run all 13 checks automatically
Stop doing this manually. Validios runs 13 live background checks on any vendor in 60 seconds โ sanctions, breaches, ABN, SSL, email security and more. Free to view. $19.99 for the full audit-ready PDF report.
Check a vendor free โFree to view ยท $19.99 for the full report ยท No subscription
What to do with your findings
If a vendor fails multiple high-weight checks, raise them directly before signing. A reputable vendor will acknowledge the findings and either explain existing mitigations or commit to remediation on a specific timeline.
A vendor that dismisses security concerns or can't explain their security posture is telling you something important about how they'll handle your data.
Aligned with Australian Essential Eight: The Australian Cyber Security Centre's Essential Eight framework specifically includes patch management and application control as mitigation strategies. Running vendor security checks before onboarding is directly aligned with Essential Eight Maturity Level 2 requirements for organisations that outsource to third-party providers.