Security People vs. Security Vendors

April 15th, 2008 Drazen Drazic Posted in Bad Stuff, Dumb Security, PCI, PCI DSS, Web Application Security |

Maybe I should be nicer and say Security People vs. Security Vendor Sales guys. Two different worlds as we’ve talked about before and as we had a laugh about here with the Symantec Guarantee.

Security product sales guys can be dangerous to an organisation that takes on trust these products are going to be their security salvation. Remember this one? Happy to send the press release out but when actually questioned by Michael Crawford……no response! I got a nice wrap for this from Marcus Ranum and the boys at SANS at the time.

So today, am at a non-IT related seminar. Very sure of himself dude from large IT company comes to stand near us; “What do you do?” I give him a very polite 15 second introduction to the world of Infosec consulting from the eyes of Securus Global.

“Never heard of you guys….so you pen test?” (not upset….not that I think he knew what that meant anyway, but obviously if you are an infosec consultant, that is what you do in his mind)……”Oh…we have things in common”, he says “we work with organisations on compliance and PCI compliance in particular. We just bought an application firewall company and have incorporated that into our product!”

“That’s excellent!”, I said. “Business must be booming!” (thought bubble saying; “please go away”).

“Yeah, it protects them against…(DD tune out)….yep, does it all!” (Still looking at me like you guys are superfluous).

“Okay…cheers mate…BTW, where is the bathroom….nice to meet you!”

So much of this to look forward to at Auscert 2008! :-)

4 Responses to “Security People vs. Security Vendors”

  1. Silky Says:
    April 15th, 2008 at 8:27 pm

    see this is why when people ask me what i do i just say ‘oh you know, … this and that’. they can’t come back with ‘oh right! yeah we have just starting doing this and that too!’ (or at least if they do, i know they’re cool).

  2. cmlh Says:
    April 16th, 2008 at 9:22 am

    @Drazen Drazic,

    What was the event (i.e. name, date) when this occurred?

  3. Drazen Drazic Says:
    April 16th, 2008 at 3:47 pm

    @cmlh It was yesterday. Angels/VC discussion in town. No motives…just went out of interest.

  4. HB Says:
    April 16th, 2008 at 9:14 pm

    My, that’s painful.

    The belief that these shiny products fix all PCI/security needs seems a little dangerous, and i’m sure it leads to companies spending their PCI compliance budget on products without even looking at the standard, and then being shocked when they find out they’re not even close to compliance.

    Grr.

Leave a Reply