Presenting Security Ideas or Driving Agendas?
I opened the OWASP Europe Conference this week with a slide (below) about vendor neutrality.
In essence I urged attendees to consider the motivations of those presenting various ideas at the conference; including myself of course. During the conference it was pointed out that the moderator of a panel “The PCI 6.6 Dogfight - to Scan or to WAF”, worked for a WAF company. In fairness it was a genuine mistake and I know from personal experience from their interactions with some of my friends of their integrity; but it illustrates the scope of the problem.
Todays newspapers in the UK have stories about the Advertising Standards Authority and Trading Standards Authority who have decreed that Fortune Tellers will need to declare that their services are for entertainment only.
I guess they didn’t see that coming!
For many years almost all countries in the world have enforced disclaimers on cigarettes.
I wonder if we will ever see ads for security tools that say “Only when used in conjunction with a comprehensive risk management program can this tool help reduce the risk to your company”?
May 25, 2008 at 8:01 am
As the moderator who works for a WAF vendor, I have to say that the real issue was that I selected only people representing tools (commercial or free) for the panel. In a way, this is natural for PCI 6.6 which is a “vendor criteria”, offering tools as the solution for a problem. Maybe the panel’s title should have been: “PCI 6.6: are these really the solutions?”
However, Interestingly enough, the conclusion of the panel was the whatever tool you use the human factor is key to its effectiveness, which I think agrees very well with Mark’s thesis.