A little over 10 or so years ago, when I was responsible for information security and privacy at a large financial organization, I was doing research into PKI products and solutions. The sales exec for one of the products I was considering insisted on coming onsite with his “lead scientists and engineers” to tell me and some other folks in the IT and information security area about how wonderful their PKI product was. I did some research and prepared a couple of pages of questions to ask them about the specifics of their product. The sales exec, who has since gone on to other work and is also now a friend of mine, later told me that he felt like shrinking and hiding under the table as I asked questions about the specifics, functionality and support of their product that the developers themselves could not answer, and, even worse, many that they had not even thought about.
That taught me an important lesson that has stayed with me over the years; just because it is a security product does not mean the product itself is secure.
Every week it seems there are headlines about security products containing vulnerabilities that put the organizations using them at risk. No computer system security product can ever be guaranteed to be 100% secure. However, business leaders must still perform due diligence when choosing a security product to ensure that everything possible has been done by the vendor to remove all known vulnerabilities, and that the vendor will continue to diligently update their product to ensure all newly discovered security flaws are quickly and effectively removed.
Earlier this week I posted a new white paper to this site, “Security Products Must Be Secure.”
(NOTE: Free registration is required to get to the white papers.)
I was pleasantly surprised to read that Mike Rothman at Security Incite had already found the paper and talked about it in his blog today. Check out Mike’s site; he has good information and thought-provoking insights.
Within the white paper I provide a list of the core 25 questions I have used over the years to help determine the security and trustworthiness of security products. I hope you will find them, and the other information within the paper, useful when you are making a security product purchase decision.
If you use additional core questions when choosing your security products, please share them! I’ll add them to my list of 25 and sometime in the future post an updated list if I get more.
Tags: awareness and training, common criteria, Information Security, IT compliance, policies and procedures, privacy, risk management, security software, security vendors, software quality assurance