Monday, March 31, 2008
detecting snake oil
working for a bank grants me a privilege to work with a lot of partners in security-related projects. it seems that in most people mind, bank is equal to security, so they tend to set a very high focus on security (which is good) whenever they have something to present to me. all of the partners i've been working with for the last few years try very hard to prove that their solutions, their products, their networks...are secure.
some of them are pretty awesome, working with them sometimes give me a lot of hints to do the right thing (TM) in security. unfortunately, those are rare. in other words, most are clueless about security.
here are some hints that maybe helpful if you want to detect those snake-oil companies:
1. security-clueless often talks restlessly about stuff like firewall, ids, and anti-ddos (some even tell me proudly that their firewalls can strike back to the sources of the ddos attack;)). with all due respect to networking gurus, i have to say it seems that a lot of security-clueless people had been networking gurus in their previous lives. the most clueless are those who underestimate security as merely a networking issue. they tend to think that they solve all security problems by using tons of fancy networking devices. please remember that there're 7 layers in the OSI model, and the weakest one is even not listed: the human.
2. "you can be secure using our products | our solutions are secure" are something you often hear from a security-clueless. excuse me, secure from what, secure against whom? just go ahead, ask this question and see how they react. please keep in mind that nothing can be secure against unexpected disasters, i.e. earth quake, flood, electricity blackout, etc...and nothing can be secure against a trusted employee who somehow turns malicious (or maybe mistakenly performs some irreversible actions).
3. security-clueless never pays attention to stuff like scalability and high-availability. they think that scalability means performance and high-availability can be solved by using two or more servers in active-standby mode. let me remind you the purpose of security is not only to protect you against attacks but also to help you serve your users safely whenever they want. i tend to think the later includes the former, btw.
4. security-clueless rarely talks about cryptography. verisign ssl certificate seems to become the silver bullet answer for all of the cryptography-related questions. most of them don't like to discuss cryptography at all which is easy to understand since cryptography is tough and not easy to get right. please don't trust anybody who tell you how secure they are since they use md5 (without salt) to encrypt your password.
please don't ask how i come to these conclusions. it's my experience. if you're in doubt (you should be), just don't listen to me.