Wednesday, June 29, 2005
How to buy a security product
I just read some security product purchasing advice. It was all common sense business practice that you could apply to any situation where you deal with vendors.
I'd add some points to it. For one thing, don't trust any vendor who promises a complete solution to your security problems. Honest ones will talk in terms of risk management and explain what subset of security threats they mitigate.
Check whether they offer an easy way for outsiders to report security problems. It's disgusting how often I see people having to ask "I just found a security flaw in ___, does anyone know of a security contact at the company?". How on earth is the maker of ___ supposed to keep it secure if they can't even find out what the problems are?
Think about whether you can get hold of the expertise to keep their gadget running. You can't beat the price, performance and flexibility of an OpenBSD firewall with pf, but it's not much good if you have to bring in a consultant from two states away to make changes.
|
I'd add some points to it. For one thing, don't trust any vendor who promises a complete solution to your security problems. Honest ones will talk in terms of risk management and explain what subset of security threats they mitigate.
Check whether they offer an easy way for outsiders to report security problems. It's disgusting how often I see people having to ask "I just found a security flaw in ___, does anyone know of a security contact at the company?". How on earth is the maker of ___ supposed to keep it secure if they can't even find out what the problems are?
Think about whether you can get hold of the expertise to keep their gadget running. You can't beat the price, performance and flexibility of an OpenBSD firewall with pf, but it's not much good if you have to bring in a consultant from two states away to make changes.
# posted by Frederick @ 7:07 PM Email to a friend:
Haloscan: they provide trackback