Beware of 'free' infosec
There has been a lot of hype in the last few weeks about security vendors who
offer assessments on the “we find holes or it’s free” basis.
I wanted to take a moment and express my thoughts on this approach.
First off, security testing choices should not be based on price. They should
be based on risk. The goal is to reduce the risk that any given operation (application,
network, system, process, etc.) presents to the organization to a level that
is manageable. Trust me, I have been in the security business for 20 years and
all vendor processes are NOT created equal. Many variations exist in depth,
skill level, scope, reporting capability, experience, etc. As such, selecting
security testing vendors based upon price is a really bad idea. Matching vendors
specific experience, reporting styles and technical capabilities to your environment
and needs is a far better solution for too many reasons to expound upon here.
Second, the “find vulnerabilities or it’s free” mentality can
really back fire for everyone involved. It’s hard enough for developers
and technical teams to take their lumps from a security test when holes emerge,
but to now also tie that to price makes it doubly difficult for them to take. “Great, I pay now because Tommy made some silly
mistake!” is just one possibility. How do you think management may handle
that? What about Tommy? Believe me, there can be long term side effects for
Tommy’s career, especially if he is also blamed for breaking the team’s
budget in addition to causing them to fail an audit.
Thirdly, it actually encourages the security assessment team to make mountains
out of mole hills. Since they are rewarded only when they find vulnerabilities and the customer expectations of value are automatically
built on severity (it’s human nature), then it certainly (even if only unconsciously) behooves the security team to note
even small issues as serious security holes. In our experience, this can drastically
impact the perceived risk of identified security issues in both technicians
and management and has even been known to cause knee-jerk reactions and unneeded
panic when reports arrive that show things like simple information leakage as
“critical vulnerabilities”. Clearly, if the vendor is not extremely
careful and mindful of ethical behavior among their teams, you can get seriously skewed views between perceived risk
and real-world risk, again primarily motivated by the need to find issues to make the engagement profitable.
In my opinion, let’s stick to plain old value. Hire an organization that
will help you find and manage your risk, that will help you focus on the specific
technical vulnerabilities in networks, systems, applications and operations
that attackers could exploit to cause you damage. Such an organization employs
deeply skilled experts whose work has value and costs money. Value. End of story.
MicroSolved, Inc.
Build your tech library with our book giveaways.
Windows PowerShell 2.0 Unleashed
By Tyson Kopczynski, Pete Handley, Marco Shaw; Published by Sams
Windows PowerShell Unleashed will not only give you deep mastery over PowerShell but also a greater understanding of the features being introduced in PowerShell 2.0–and show you how to use it to solve your challenges in your production environment. Enter now!
Ubuntu Server Administration
By Michael Jang; Published by McGraw-Hill Osborne Media
Realize a dynamic, stable, and secure Ubuntu Server environment with expert guidance, tips, and techniques from a Linux professional. Ubuntu Server Administration covers every facet of system management -- from users and file systems to performance tuning and troubleshooting. Enter now!
