Slashdot Mirror

← Back to Stories (view on slashdot.org)

Questioning Security Certifications

Posted by michael on from the sheepskin dept.

prostoalex writes "BusinessWeek questions the validity of security certifications in the modern world. They take a look at Federal Information Processing Standard and the certification process. Apparently 'the testing companies make money by certifying products, not catching problems' thus implying that the seal of approval might not mean a whole lot."

5 of 103 comments (clear)

  1. Not Uncommon by theduck · · Score: 5, Insightful

    There are plenty of industries where following the money would make you think twice about the motivations of the seller of services. How about financial planners/brokers who make more cash by churning your investments? How about the auto mechanic who makes more cash by replacing your radiator when all it needed was an external cleaning (true personal experience here)? How about [fill in your own example here...everyone has one]?

    At this point, if you're not always questioning whether a service provider is taking you for a ride, then you're being taken for a ride.

    --
    How can we afford to ever sleep
    So sound again
    --ebtg
  2. Peer review by koh · · Score: 5, Insightful

    --Automated software is a good baseline approach, but it falls far short of cunning humans hammering away at systems.

    Automated software cuts costs. That's why they use it. Human security testers are expensive, even though IMHO it might be a good way for the most talented script kiddies to make a buck during summer...

    --The testing companies make money by certifying products, not catching problems.

    Of course they do, they're _certification_ companies, not tech support for security problems. Their job is not to catch problems in your software for you. It is to tell if a product is "secure" or not, according to tests. Which bring us to the point :

    1) You can't predict the future. Tests run today can't reproduce new problems that will be discovered next year. So this "security certification" is short-termed at least.

    2) There is a bias, both in the test suite used and the conception they have of "security". They're human beings too, and to them "good enough" can mean a whole less (or more) than to you.

    So what is the problem ? The problem is that apps that pass their tests is instantly classified as "secure". So we have to :

    - Expand the concept of "security" to give it a little more subjectify ("secure", according to company X, not just "secure, period).

    - Use peer-to-peer review, which has proven good at detecting security flaws, and is quite inexpensive for free software projects.

    --
    Karma cannot be described by words alone.
  3. Oxymoron by mosschops · · Score: 4, Funny

    talented script kiddies

    Whoa, there's a phrase you don't see too often.

    Wouldn't they be talented hackers/crackers, if they actually know their stuff?

  4. According the the Orange Book.. by Dynamoo · · Score: 4, Interesting
    According to the Orange Book, the now-slightly-obsolete DoD certification, Windows NT 4.0 is secure enough to get a C2 Certification.

    Now, before we all laugh and say "doesn't it show that the certifications are stupid?" consider this.. maybe the certification system does work, and all those other certified products are equally flaky. I've got a list of some TCSEC-certified systems here and frankly it's a pretty unappealing set of OSes. If there were as many Unicos systems (rated B1) out there as there were Windows, I betcha they'd find holes in it soon enough. The fundamental problem with any popular OS is that there will be thousands of hackers and wannabees probing away at it. I don't think there are many people reverse engineering CA-ACF2 MVS in their bedrooms.

    I think the motto should be: "Security Through Obscurity" - perhaps all those horrid proprietry OSes did have a point after all.

    --
    Never email donotemail@WeAreSpammers.com
  5. There is no security panacea by El+Volio · · Score: 4, Insightful
    If you think there is, you're fooling yourself. That said, as long as that axiom is kept in mind, something is better than nothing. FIPS (or any other certification) may not be a guarantee, but it should be a good indicator that due diligence has been performed and the software meets widely-accepted best practices.

    The same applies to those practices. In and of themselves, they do not guarantee that no incident will take place. But they'll hopefully minimize the impact and frequency of those incidents. The fact that the NSA or some other entity may be able to get past your security doesn't invalidate that security entirely; depending on the environment, it may be good enough.

    Information security is really all about risk management. At the end of the day, are we managing our security to the point where the risk is less than the value of the information itself? Balance business need (or whatever needs you have, if you're not a business) against the cost of extra measures. When additional measures are too expensive for the value of what you're protecting, you're secure -- at least secure enough, anyway. If everyone followed security best practices, we'd have a lot less problems than we do.

    --

    "You can never have too many elephants on your team."