Watch Security Vendors Closely

This nicely done Computerworld column lists 10 statements coming from security vendors, consultants or partners that could spell trouble.

The theme is that the person on the receiving end of the pitch must listen very carefully and dismiss anything that sounds even remotely categorical, hyperbolic or makes promises that, if kept, actually can lead to problems (such as making data too easily available). Thus, security buyers simply need to use the same common sense and skepticism as when they buy a car or a flat screen television. A big danger is that the person making the pitch could be cutting corners with full disclosure. This sort of thing is natural, and is bound to become more common as the security sector consolidates and the business gets more cutthroat.

Of course, there is no direct correlation between what software salesmen may say and the possibility of attaching legal penalties to insecure products. However, both speak to the bigger issue of security software integrity. Though it seems farfetched, a report by the Lords Science and Technology Committee — a link to it is available in this Techworld piece — suggests holding companies responsible for flaws in their software products.

Vendors reacted predictably. Symantec said such laws would have the opposite of the intended impact and hurt end-user security, while a Sophos executive pointed out the difficulty of figuring out who was to blame. A representative from McAfee said implementation often is the culprit, not the security itself.

The mix of opinion extends to Bruce Schneier — a well-known security analyst who testified in favor of the approach in front of the House of Lords — and this blogger, who argues in a long post that forging a set of rules to force improved security is impossible in as immature an area as security software.

The reality is that competition among security vendors is rising, prices are shrinking and many products are moving toward becoming commodities. That’s good for end users, of course. But it also means that there is more pressure on vendors and the ecosystem of which they are part. The bottom line is that every statement vendors make must be vetted very carefully and, in the long run, financial pressure may mean that less care may be paid to products. Does this mean the logical conclusion — that vendors be held legally responsible for bad software — will come to pass? We think it’s unlikely. But it clearly is an interesting idea.