Penetration Testing mailing list archives
Re: My Frustrations
From: Cedric Blancher <blancher () cartel-securite fr>
Date: Fri, 19 Dec 2008 12:55:08 -0800
Hi Joseph. Le vendredi 19 décembre 2008 à 01:58 -0500, Joseph McCray a écrit :
The customer isn't a security expert, and often can't differentiate between you and someone that's not as technical as you.
That's the fundamental issue I see. Problem is, this customer is not able to tell if what you tell him, trying to demonstrate your experience, makes more sense than other guys statements. Just let me paraphrase the comment I left on Adriel's blog. Basically, there is a situation in economics referred as "information asymmetry"[1] that fully applies to security market. The most quoted paper related to this is "The Market for Lemons"[2] from George Akerlof. I am not an economist at all, but I think this makes a lot of sense to explain the security market situation, although it does not give answers. This paper describes the information asymmetry consequences for second-hand car market, where you can find crappy cars (lemons) and good ones (cherries). Basically, the asymmetry comes from the fact that sellers know which cars are lemons and cherries. But most buyers, although they know there are lemons and cherries, can't tell the difference between the two. This paper has been discussed a lot, but basically, you face a situation where buyers have very few choices. One of them, and actually the most common one apparently, is to adopt a safe posture consisting in buying cheaper to get the most value, posture we can roughly translate into limiting the impact of getting screwed. As a result, the whole market is pulled down by lemons as cherries will not sell, to a point it can collapse, which means for instance buyers will exit the market and go for brand new cars. Now, let's get back to our security market. We are talking of security practitioners, but we could have the exact same reasoning for products (I will get back to them later). So we have skilled practitioners and unskilled ones. Both of them are trying to convince customers they are the best pick, and as customers can't tell the difference between the two, they tend to adopt the posture of the lesser cost. Because unlike car buyers, they don't really have an alternate market to exit to: they need security, and for some of them, they have to deploy some thanks to regulations. Therefore, the wide range of skill level we can find on this market, from to highly skilled and experience people to blatant newbies, tends to pull the whole market down, with best practitioners whether leaving the market or lower down their services quality to match the market price, at best fighting hard to make their living. Now, what can we do answer that situation ? Obviously, it is a question of information. Customers must be given the right signals so they can better understand the difference between practitioners and what they propose. They need a non compressible amount of credible information that allows them to tell the difference between a skilled guy and a newbie, or between an automated vulnerability assessment and a penetration test, as an example. Now comes the question of knowing who can deliver these signals. Can we do this as practitioners ? As stated below, our voice often has no more weight than the bullshit we can find around for our customers. Independent entities ? Sure, but which ones ? Certifications ? they sure have a role to play, but they have limits we all know... Basically I don't have any good answer outside trying to educate the best we can, for what is worth. But I think the most interesting field is actually the product market, where we face the exact same situation, maybe even worse actually. If I give the average customer two products, say antiviruses, from two different vendors, one being crap and the other good, will he be able to tell the difference ? Or just answer this very basic question: what does make a good antivirus ? Not mentioning that "good" also depends on his environment and therefore can have different meanings for different people. And if one is costing more than the other, what do you think he will do ? The "funny" thing there being law is actually increasing the asymmetry, because in many countries, you are not allowed to dig into the product for the sake of security. I do not specifically mean looking for vulnerabilities (all products have vulnerabilities), but have a rather precise idea of how products are working, their overall quality and security. Like if the guys developing them know what they do or not, basically. Therefore, you end up in a situation where nonetheless customers are not informed, but people who actually have the skills to perform that type of analysis are restricted in what they can do and say, unless they feel brave enough to spent the next 10 years in courts, challenging current laws. Well, that's my 0,02EUR of thinking for the day ;) |1] http://en.wikipedia.org/wiki/Information_asymmetry [2] http://en.wikipedia.org/wiki/The_Market_for_Lemons -- http://sid.rstack.org/ PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
Hi! I'm your friendly neighbourhood signature virus. Copy me to your signature file and help me spread!
------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------
Current thread:
- Re: My Frustrations, (continued)
- Re: My Frustrations Adriel T. Desautels (Dec 19)
- Re: My Frustrations Roman Medina-Heigl Hernandez (Dec 23)
- Re: My Frustrations Adriel T. Desautels (Dec 23)
- Re: My Frustrations Roman Medina-Heigl Hernandez (Dec 23)
- RE: My Frustrations Sat Jagat Singh (Dec 19)
- Re: My Frustrations Pete Herzog (Dec 20)
- Re: My Frustrations Adriel T. Desautels (Dec 19)
- RE: My Frustrations Shenk, Jerry A (Dec 19)
- Re: My Frustrations Adriel T. Desautels (Dec 19)