Shameless Commerce Division
Thomas Ptacek | June 16th, 2005 | Filed Under: Uncategorized
I keep whining about how slammed I am lately. Here’s part of the reason (but only part of it, and more news is coming).
This is a class about beating the hell out of security products.
You can check out the syllabus for more details. But for now, I rant:
Security vendors are just like any other technology vendor. It might not be obvious, but it should make intuitive sense. Your firewall vendor is under the same pressure that any consumer software vendor is to:
Market their products aggressively
Manipulate published tests to show their products in the best possible light
Complete revisions of their software on insane schedules
Add at least enough features with each version to keep parity with their competitors
Invent features, reasonable or otherwise, to achieve an edge over their competitors
Do the bare minimum amount of work to ship those features and grab the “merit badge”
The network security space alone represents over two billion dollars per year in revenue. In large enterprises, a single major deal can score a vendor over a million dollars. If you think vendors aren’t employing absolutely every weapon in their arsenal to get their gear deployed, you’re being naive.
A younger, dumber Thomas Ptacek would have railed against the vendors for this. (Maybe even gotten a bit vindictive). But an older, wiser Thomas Ptacek (shut up, anybody from Arbor) has begun to accept that maybe there’s nothing wrong with vendors being aggressive. Gag.
Maybe the problem is how hopelessly outgunned buyers and evaluators are. There’s no Consumer Reports (or better yet, Cooks Illustrated ) for security products. Those publications don’t take advertising, and spend their money on test labs (or kitchens). Instead, we have:
Evaluations that begin and end at running “nmap” against the IP address of an IPS.
Bogus “certification” programs with unpublished criteria that every vendor mysteriously seems to pass.
Magazine reviews that center on performance (until you turn all the defensive features on) and quality-of-UI.
Aggressively-enforced nondisclosure agreements and account qualification to keep flaws from being circulated.
Product selection influenced more by the logo on the front of the box than on the capabilities of the actual product.
Hundreds of different one-off test tools scattered across the Internet, many of which don’t build on an OS distributed within the last 5 years. (Whistles innocently).
Routine disclosure of serious flaws in major shipping products. (For some reason, I’m feeling tactful enough not to link each of those words to an advisory or white paper).
So, long story short, we saw a need for a class like this. We’re running it for the first time (in its complete form) at Black Hat this year. This time around, the class focuses on network security tools. If I was going to boil our syllabus down to three main objectives, it’d be:
How to go from a standing start to a professional-grade product testing lab in the shortest time period possible.
How to decode, debunk, and defend yourself from vendor marketing ploys and snake oil.
How to employ the same techniques attackers do to evade detection and deflection.
You can find more information about the class here, or at the Black Hat course page.
[more security]
