Slashdot Mirror

← Back to Stories (view on slashdot.org)

Questioning Security Certifications

Posted by michael on from the sheepskin dept.

prostoalex writes "BusinessWeek questions the validity of security certifications in the modern world. They take a look at Federal Information Processing Standard and the certification process. Apparently 'the testing companies make money by certifying products, not catching problems' thus implying that the seal of approval might not mean a whole lot."

2 of 103 comments (clear)

  1. Not Uncommon by theduck · · Score: 5, Insightful

    There are plenty of industries where following the money would make you think twice about the motivations of the seller of services. How about financial planners/brokers who make more cash by churning your investments? How about the auto mechanic who makes more cash by replacing your radiator when all it needed was an external cleaning (true personal experience here)? How about [fill in your own example here...everyone has one]?

    At this point, if you're not always questioning whether a service provider is taking you for a ride, then you're being taken for a ride.

    --
    How can we afford to ever sleep
    So sound again
    --ebtg
  2. Peer review by koh · · Score: 5, Insightful

    --Automated software is a good baseline approach, but it falls far short of cunning humans hammering away at systems.

    Automated software cuts costs. That's why they use it. Human security testers are expensive, even though IMHO it might be a good way for the most talented script kiddies to make a buck during summer...

    --The testing companies make money by certifying products, not catching problems.

    Of course they do, they're _certification_ companies, not tech support for security problems. Their job is not to catch problems in your software for you. It is to tell if a product is "secure" or not, according to tests. Which bring us to the point :

    1) You can't predict the future. Tests run today can't reproduce new problems that will be discovered next year. So this "security certification" is short-termed at least.

    2) There is a bias, both in the test suite used and the conception they have of "security". They're human beings too, and to them "good enough" can mean a whole less (or more) than to you.

    So what is the problem ? The problem is that apps that pass their tests is instantly classified as "secure". So we have to :

    - Expand the concept of "security" to give it a little more subjectify ("secure", according to company X, not just "secure, period).

    - Use peer-to-peer review, which has proven good at detecting security flaws, and is quite inexpensive for free software projects.

    --
    Karma cannot be described by words alone.