To all infosec vendors, hardware, software, and services....
Please check your grand claims and marketing bullshit at the door. There is no need for it. If your product/service is good, we in the community will know it. We will talk about it. We will BUY it... However, if you use terms like 'unhackable', 'unbreakable', '100% secure'.... We will ALSO talk about it, but not in your favor. Nor will be 'buy' it. Shit claims like this is why you (and especially your marketing division) are the laughing stock of the rest of the world.
First
NOTHING is unbreakable (Sorry Oracle, you of all companies should know this is BULLSHIT). If you claim that your product is 100% secure, EXPECT me to test it. I will, and I will find its flaws. And of even greater threat, I WILL publish findings.
The recent article by Scott Helme about nomx (https://scotthelme.co.uk/nomx-the-worlds-most-secure-communications-protocol/) was the catalyst for me to write this. Too many times vendors make grand claims to sell blinkenlights. Products or services to 'solve' the security problem. If you make the claim, have the balls to back it up, or shut up. You are directly responsible for your customers current security issues. They trust you, believe you, buy into you. And what do you do? You sell them snake oil. Magical cures which in the end, do more harm than good.
Second
So that brings me to a second point. If a researcher, or anyone, goes through the work to point out the flaws in your 'widget', man up and respond with respect. These guys often have more knowledge and have done more work to secure your products than your whole security team. Responding with threats of litigation, defamation against their skills or character, will not only NOT win you friends, but will actively turn the community against you. The best defense is not always a good offensive. It just proves you are an offensive company that should be avoided.
Scott's article is not the only example of such actions being taken. Infosec history is LITTERED with examples. (https://www.wired.com/2013/04/ciphercloud-stackexchange/ was a personal favorite). Even I myself have been accused of false claims against a company when I exposed a companies claims of 'best of breed' encryption to be rubbish.
Thoughts of a Conclusion
This got me thinking. Why would a company fight so hard against the community that has conclusively shown their product or service is flawed. And it hit me....
If you are a honest infosec vendor, you know it's best to work with the community, not against it. There are thousands of people who would be willing to put forth hard work to help improve security, no matter where it is. You know it will be worth the effort because the effort is worthwhile.
If you are a snakeoil salesman, a researcher pointing out flaws is threatening you with extinction. So I can see why you would fight so hard. Just know, there are no perfect secrets, all truth comes out, and everyone will get what they truly deserve in the end. Stop before you start, you are not smarter than the rest of the world, we WILL figure you out!
No comments:
Post a Comment