Monday, April 6, 2009
Would you mind to explain how your security works?
Sometimes it's funny to see the face of people when you ask that. Sometimes it is about an organization, sometimes about a product. Usually, the answer comes in form of a bunch of acronyms, standards and nice phrases like "risk management process". Fun starts when there's also stuff like "100% secure", "certified against hackers" and "military grade encryption".What is surprising to me (and to others too, as I noticed here) is that sometimes the questions are unexpected. Not only generic questions about the security of a service provider or a product, but also questions about security details of them. I'm not surprised that the answers are crappy, I'm surprised that they are surprised about the questions! Hey guys, are you asking the right questions to the vendors? I remember working for a card processing company and asking some software providers about the security aspects of their products, they didn't know how to answer them. Worse, they would eventually reply "company A, B and C are using it and nobody there asked us about it". What kind of questions they are hearing? Stupid things like "is this software PCI certified?"(!) "is it SOX certified?" (!!!) "is it ISO27001 certified?" (!!!!!!!!). It's not hard to see why there's so much bullshit about security from vendors, there are people out there buying (and enjoying) it.Decently secure services and products will only be available when buyers start to (properly) ask for it. If nobody is asking, why will they bother about it?