I"ve just read a very good article about doing security evaluation of IT products . I liked this part specially:"9. Do not be sorry for a vendor.
There were projects when our evaluation results literally made people cry and beg to buy their products. One vendor even offered a 100K product for free, so they could add the company logo to the list of their customers. Remember, you are choosing the product to protect your assets and if it fails and expose your data - you are the one who will be in trouble."Some vendors look at me like furious animals after arguing with me about their products security features. I just can't hear things like "We have an assymetric 198 bits 3DES encryption" (yeah, it was exactly like that) without complaining.What makes me feel uneasy is that if vendors are used to give answers like that (or just saying "don't worry, the data is encrypted") it means that people are not doing the right questions and neither they understand the answers.