Security- How do you know?

[catch]

What is your top consideration in evaluating a product's security?

Number of reported vulnerabilities
Scale of informal review
Product reputation
Formal evaluation against a standard
Attractiveness of the person pitching the product
Other (please explain)

In addition to answering, please provide your level of purchasing power (or just "personal"), level of education and any related certifications you may hold.

I think this information will be very enlightening for discussing security with the widest range of people, by determining patterns (if any exist in who responds to what)

cheers,

catch

[foxyloxley]

I like to check out any product myself, and if I can handle it....................nuff said.

I work for a company that provides tech support for schools, we provide a 'complete' service.
The LEA [local education authority] provides funding and server admin, we provide everything else.

From basic security tools [AdAware, SpyBot etc] to a particular software package that a school requires, we like to be able to say that we have loaded, ran. tested and used the product.
Hence my tick on the 'other' notch of the poll.

As for the rest of the qualifications :

Education = High School [Long time ago]
Certs = still studying [Comp TIA A+, N+ CCNA]
Purchase power = if the client wants, the client gets. although the client eventually pays, I do have to recommend their choice to the boss.

[catch]

So you are saying that you determine how secure something is by yourself? I'm not asking about how user friendly or even practical something is. How do you decide between two firewalls, or operating systems, or anything where security is the primary concern?

cheers,

catch

[Relyt]

Good Evening,

Great Question for discussion!

Number of vulnerabilities could indicate that it is a fairly secure product in that it has been targeted by the deviants, been patched, and lives on to fight another battle. So I wouldn’t discount this as contributing consideration.

Scale of informal review can be a viable part of the consideration.

Formal evaluation against a standard could be very impressive as well.

Attractiveness of the person pitching the product. Maybe for a date, but other than a professional appearance, that would not influence any consideration about the product.


So what is your top consideration in evaluating a product’s security?

Other: Configuration Options over its Capabilities. It’s unlikely that we will have one product that fits the bill for every need, so obviously having the ability to configure and mate-up appropriate products to cover the different aspects of security is paramount.

Job related and Personal experience, many different OS’s since 1981.

cheers

[!mitationRust]

Standards are the yardstick of the industry, if I do recollect emendately, and that security is measurable, theoretical(capabilities/assurances) and practical($).

*edit* Forgot the objective of the thread.
Personal and I hold a BS in geoscience with geophysical emphases from the University of Texas-Dallas in 1999.

[Und3ertak3r]

The security of a product is more a game of Russian roulett..

My considerations are:

1/ Formal evaluation or 5 against a standard or standards.. don't rely on one review, be aware that the review is only as good as the criteria used to evaluate the product.
2/ Product History and company Reputation an independant evaluation here also.. you don't go to Ford to find the good and bad points of a GM vehicle (it may give you more points to consider than you realy need).
3/ Unpatched or non circumventable vulenerabilities is certainly a serious concern..IF the weakness is in an area of my requirements and/or cant be disabled.
4/ yeh.. just because there are no posted Exploites or vulnerabilities dosent mean that there isnt a gapping hole with a open invitation.. eg Winzips bug that was in the product from v4 upto V8 or Symantec's Norton AV's recent disclosure of a bugs going back a couple of years/versions..

As I said.. the best evaluation .. careful selection.. your still playing russian roulet

Attractiveness of the person pitching the product

I resisted for a while from saying this.. "It depends what she is offering"

[XTC46]

I try to test products in a little control lab first. Ill Hose a box with stuff that I know well (i.e. certain viri, adware, etc if I am testing anti-virus/anti-adware products. Then run them in normal/administrator/safe modes and see what they turn up. I also check around for known bugs etc. and leave it running for a while to see if it cauese problems (also monitor processor use, etc)

if it is something like a firewall. I configure it best can and then try break into it, and run as many programs that are made for looking for hooles/exploits as I can find against it. I also try throwing virus infected computers on the insde to see how it reacts. then once again look online to see what everyone else says.

[catch]

I find two things very interesting/surprising so far:

1. Zero votes for Scale of informal review.
2. The number of users how rely on their own abilities to determine how secure a product is.

#1, I can't recall how many times I've heard about how much better open source is because of all the extra sets of eyes on a product, yet no one so far actually believes this.

#2, you all must be a lot smarter than myself... cause I would never trust my own ability to comprehensively test a product, much less multiple competing produts with regard to security while actually holding a day job.

cheers,

catch

[Tim_axe]

Purchasing Power: Personal

If I realized that "informal review" meant Open Source software (and review of the code), I'd have ticked a vote for it.

• 1) How does it work? What solution does this product have to whatever it is designed to address, and how does it do so? IE, is this a one-size fits all product (new expandible design!), or is it a lean & mean crunching machine (proven methodology)?
  
• 2) Features? Does it do something I don't want it to do (a blinking pencil comes to mind), and do I get to select/control what it does and does not do (user serviceable)?
  
• 3) Track record? To be fair I mean #1 by this; how has the implementation of #1 reared its ugly butt (economy 4 cylinder vehicle that can't tow trailers?) or how has it shown fruits of success (food blender making yummy milk shakes)?
  
• 4) I might as well get the opinions of others (competition?)...

When I judge something, I firstly take a look at it and see if I like how it works. Especially for web applications, how the author decided to code it can quickly spotlight potential problems. Even taking a look at what the product is capable of doing, and how it relies on doing that is important. One thing my review of all Nuke software (PHPNuke/PostNuke, etc) highlighted that there was no way to enforce what a module did (and that everything had to deal on databases on its own, or try to follow Nuke spec if global searches were to be possible), and that many people just hacked together some code that worked and called it a day. Needless to say a solution like that which is highly uncoordianted doesn't hold well in my book.

I also look at what the product tries to do that it shouldn't. I don't want my texteditor to browse the Internet; I want it to be a text editor. Unfortunately both OO.o & MS Word do infact browse the Internet, although the former apparently uses the application selected as default at the OS level instead of the latter which seems to use some APIs for a product I don't get to select as well as I'd like.

Finally, I also consider the history of the product and how the issue was resolved. If there was a huge problem and the author patched it, and this patch has a problem...along with all of the other patches the software needed...well, I'd begin considering something else. If something is the new kid on the block and thus has no reported vulnerabilities, I'm also cautious. So far Drupal.org is about the only "new" software that I have any confidence in because over the 6-9 months or so I've used it there was only one reported vuln and it was something non-critical that probably didn't reflect the rest of the code. I have yet to truely open it up and see how it looks at the source level, but it thinks the way I do and I don't see any flaws jumping out at me immedietely.

[scratchONtheBOX]

Other

1) Cutomization

Formal evaluation against a standard - In addition to the standards in the product, being involved in a VERY LARGE CORPORATION before, I want to reflect something about customization.

Setting up a reliable and secured system to be implemented in the production (I just want to emphasize the security aspect of the product), in order to consider the product's security (in an operational stand-point), I could say that CUSTOMIZATION is to be considered. Answering the question like "HOW WILL THE PRODUCT BE DEPENDABLE AND PROVIDE A SMOOTH, RELIABLE AND SECURED PROCESS ON THE EXISTING SYSTEM ESPECIALLY IF THERE IS A NEED FOR PRODUCT ADJUSTMENT RATHER THAN CHANGE THE ENTIRE EXISTING SYSTEM?" is the main concern of the company. Don't take this idea as far from the SECURITY ASPECT, since the meaning of a secured product includes it's reliability from start to end process. If the company's requirement from the product cannot be addressed (on certain standards), customization takes place. Products should be flexible enough to serve its purpose in a multi-process system. Taking consideration, for example, Accounting System, although it has standard processes, CUSTOMIZATON can be considered in a critical area where the SECURITY itself is involved. To dig deeper, we go to the payment process involved in the product. It should carefully be analyzed if such product could serve critical payment process in which existing manual system is doing. Automating payment system should carefully take in consideration the various means associated with the existing procedures. If the standard process of the product cannot serve the existing process of the client, a CUSTOMIZED version should be formulated or presented.

Another more relevant example is setting up corporate antivirus system to control Company E-Mails. With the same company, way back during the time that FULL network is just starting to be implemented, one problem that the Information System Dept. had faced is to choose an Enterprise AV that would addressed the issues involved in the network. Company E-Mail system needs to be controlled since during that time (1999), rise of VIRUS spreading via E-Mail were iminent on that company. The IS Dep't. had to be careful in evaluating AV product that will suit the fresh E-Mail system. Consulting firms especializing in this field had been most helpful and had recommended the customize and flexible type of AV product.

In a Larger Organization (WHERE PURCHASING POWER IS NOT A PROBLEM - BUDGET IS GOOD ), it is essenstial to consider CUSTOMIZATION and FLEXIBILITY of the product. As long as the product will address the issues involved, it could be consider a good secure point in the Organization entire process.


2) R & D (Research and Development)

As long as the product has continuous R & D, say presenting expandability and scalability, especially in the SECURITY and SOPHISTICATION (it goes hand-in-hand, right?), it will be good bet on it.

Yo!