Security Marketing Spinning Further Out of Control
In the UK we have the Advertising Standards Authority. If someone makes a claim in an advert, they need to be able to back it up. If you say Fish Fingers are rich in Omega 3 then be prepared to prove it. If you have a magic face wand that removes wrinkles then make sure it does. The ASA themselves are legless and can’t levy fines but they work with other government organisations that can. This is one reason why the shopping channels don’t work here.
When will someone challenge the ever increasing flood of BS security marketing?
I just got a Google alert for Barracuda Networks who can PCI Your Problems Away for $10,000.
this is the first appliance to fully secure Web applications and ensure compliance with regulations, such as Payment Card Industry Data Security Standard (PCI DSS) for $10,000
Hmm…I didn’t think so.
“We are essentially bringing plug-and-play PCI compliance to the mass market,” said Stephen Pao, vice president of product management for Barracuda Networks. “Until now, most businesses in the SMB space were facing very expensive and time-consuming audits of their Web infrastructures in order to achieve PCI compliance. Further, these audits would be required every time the organization makes a change to their Web applications, so it is very possible that such costs could very quickly overwhelm a business.
Hmm…I very much doubt it.
and secures Web sites against the top 10 major Web vulnerabilities compiled by Open Web Application Security Project (OWASP).
Hmmm…definitely not!
Sung to the tune of Bon Jovi
It’s a shot in the dark
And your’e to blame
You give the security industry a bad name
I’ll play my part if you play your games
You give the security industry a bad name
You give the security industry a bad name
February 8, 2008 at 4:38 pm
Great post. I posted a link on the Higher Education PCI blog: http://treasuryinstitute.org/blog/index.php?itemid=94 .
February 8, 2008 at 5:57 pm
If you read their datasheet it clarifies the specific requirements they address.
February 9, 2008 at 8:18 am
You are dead right. Another classic SOS story — what I defined yonks ago as Snake Oil Software; you know the kind of schtick: weight loss? Lay your hands on your laptop and lose thirty pounds (or $10K). SOX compliance? Nothing simpler. $10K. Yeah, right. PCIDSS/FISMA/HIPAA etc etc $10K. Glass crack pipe time. At the end of the day there is no quick fix. Security requires carefully constructed overlapping layers that combine physical and technical measures. But at the heart of it has to be an intelligent squashy organism. (This therefore debars certain corporate departments in their entirety.) No brain: no gain. If security is seen as a cost centre (at $10K a pop here) then it will never become core business, whihc is stupid, dangherous and wrong. It makes real security practitioners like myself (in themwords of the guru Molesworth) hem hem, seeth with hypertensive fury that common sense does not previal. In fact, infosec is proof positive that common sense isn’t. Anthony Franks, aged 103, late of Hangleton, probably now known as West Brighton.
February 9, 2008 at 8:21 am
Sorry about the spelling in the above polemic; early morning, not enough sleep, yadda yadda yadda. There is probably a programme for $10K that can fix that too. Sigh.
February 15, 2008 at 12:50 am
I’m mixed about this. On one side I want to laugh at the absurdity. On the other side I want to rip them apart. I’m sick and tired of sales teams using any buzz word they have to tout their product. If it was that great I’m sure they would be in at LEAST 1 financial environment and I doubt they are.
On second thought, if this works I could start a business, McGuiver Inc., and say that I can resolve all SOX/PCI/ISO issues with some gum and a toothpick.
March 5, 2008 at 10:12 pm
Great post. I just added a link to it on my new blog - http://hellnbak.wordpress.com
March 28, 2008 at 2:08 pm
[...] At least Hannaford was certified as PCI-DSS compliant… [...]